Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Certficate Overview and Problem

Posted on 2011-03-09
1
Medium Priority
?
417 Views
Last Modified: 2012-05-11
I regards to that anoying invalid certficate warning that IE provides when accessing my own server (see picture):

I have a general question regarding certificates.  I understand the whole public key/private key thing.  I understand a server issues a SSL certficate and that the server can self create its certficate. I understand that there are authorities that verify the owners of the certficates because they know the private key that goes with the public key.  So please don't provide those answers as part of my question.

My question is 1)  Is there an genral overview that presents more clearly what all the different types of certficates are in the internet explorer/windows are?
Ie what are Intermediate CA, Trusted Root Certification A, Trusted Publisers.  What is the difference between them?

I have a server that I know is good.  I put it togeher. I created the certficate.  I know the keys.  Why can't I just install that certficate in "Trusted Publishers" "Intermediate CA", or "Trusted Root CA"?

I don't want to pay verisign or thwate for menial task that takes very little processing time.

What piece of knowledge am I missing?  What don't I understand?

Sincerely,
Dan


CertificateQuestionPicture.jpg
0
Comment
Question by:dwkrueger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 35087180
Usually, a browser won't accept a self signed server certificate into the store, no matter how hard you try.

Ignore Trusted Publisher for now, its not applicable. the three you need to manage are the end server certificate, the intermediate (if any) and the root CA.

Root CAs are self signed certificates that have the CA bit set. they are imported into the trusted root CA keystore.

Intermediates are CAs that are not self signed, but are signed by another CA. those can be imported into the intermediate keystore, supplied by the server, or fetched by the browser from a reference in the server certificate (the new method)

End user (server) certificates do not have the CA bit set, but instead have a usage bit set to indicate they are able to encrypt keys, digitally sign, and protect traffic.

Now, if you want to avoid having to pay for your own server's certificate AND don't really care if anyone else gets the warning, as long as your own staff don't, then what you do is to create your own root CA (MS enterprise server software has a CA, as does novell, or  you can use the free tool at http://sourceforge.net/projects/xca )

Using this CA, you export the CA certificate (only) and then import a signing request from your server as though you were thawte. you then export the signed certificate back out from your CA and import it into your server.

by adding your own CA into your trusted CA keystore (and into that of any other machines, using group policy, manually by double.clicking a CER file, or by exporting the registry key and importing that however you do registry imports) the server cert will be trusted, as it is signed by a CA in your trusted root CA keystore.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question