Solved

Certficate Overview and Problem

Posted on 2011-03-09
1
416 Views
Last Modified: 2012-05-11
I regards to that anoying invalid certficate warning that IE provides when accessing my own server (see picture):

I have a general question regarding certificates.  I understand the whole public key/private key thing.  I understand a server issues a SSL certficate and that the server can self create its certficate. I understand that there are authorities that verify the owners of the certficates because they know the private key that goes with the public key.  So please don't provide those answers as part of my question.

My question is 1)  Is there an genral overview that presents more clearly what all the different types of certficates are in the internet explorer/windows are?
Ie what are Intermediate CA, Trusted Root Certification A, Trusted Publisers.  What is the difference between them?

I have a server that I know is good.  I put it togeher. I created the certficate.  I know the keys.  Why can't I just install that certficate in "Trusted Publishers" "Intermediate CA", or "Trusted Root CA"?

I don't want to pay verisign or thwate for menial task that takes very little processing time.

What piece of knowledge am I missing?  What don't I understand?

Sincerely,
Dan


CertificateQuestionPicture.jpg
0
Comment
Question by:dwkrueger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 35087180
Usually, a browser won't accept a self signed server certificate into the store, no matter how hard you try.

Ignore Trusted Publisher for now, its not applicable. the three you need to manage are the end server certificate, the intermediate (if any) and the root CA.

Root CAs are self signed certificates that have the CA bit set. they are imported into the trusted root CA keystore.

Intermediates are CAs that are not self signed, but are signed by another CA. those can be imported into the intermediate keystore, supplied by the server, or fetched by the browser from a reference in the server certificate (the new method)

End user (server) certificates do not have the CA bit set, but instead have a usage bit set to indicate they are able to encrypt keys, digitally sign, and protect traffic.

Now, if you want to avoid having to pay for your own server's certificate AND don't really care if anyone else gets the warning, as long as your own staff don't, then what you do is to create your own root CA (MS enterprise server software has a CA, as does novell, or  you can use the free tool at http://sourceforge.net/projects/xca )

Using this CA, you export the CA certificate (only) and then import a signing request from your server as though you were thawte. you then export the signed certificate back out from your CA and import it into your server.

by adding your own CA into your trusted CA keystore (and into that of any other machines, using group policy, manually by double.clicking a CER file, or by exporting the registry key and importing that however you do registry imports) the server cert will be trusted, as it is signed by a CA in your trusted root CA keystore.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Make the most of your online learning experience.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question