Solved

Certficate Overview and Problem

Posted on 2011-03-09
1
408 Views
Last Modified: 2012-05-11
I regards to that anoying invalid certficate warning that IE provides when accessing my own server (see picture):

I have a general question regarding certificates.  I understand the whole public key/private key thing.  I understand a server issues a SSL certficate and that the server can self create its certficate. I understand that there are authorities that verify the owners of the certficates because they know the private key that goes with the public key.  So please don't provide those answers as part of my question.

My question is 1)  Is there an genral overview that presents more clearly what all the different types of certficates are in the internet explorer/windows are?
Ie what are Intermediate CA, Trusted Root Certification A, Trusted Publisers.  What is the difference between them?

I have a server that I know is good.  I put it togeher. I created the certficate.  I know the keys.  Why can't I just install that certficate in "Trusted Publishers" "Intermediate CA", or "Trusted Root CA"?

I don't want to pay verisign or thwate for menial task that takes very little processing time.

What piece of knowledge am I missing?  What don't I understand?

Sincerely,
Dan


CertificateQuestionPicture.jpg
0
Comment
Question by:dwkrueger
1 Comment
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 35087180
Usually, a browser won't accept a self signed server certificate into the store, no matter how hard you try.

Ignore Trusted Publisher for now, its not applicable. the three you need to manage are the end server certificate, the intermediate (if any) and the root CA.

Root CAs are self signed certificates that have the CA bit set. they are imported into the trusted root CA keystore.

Intermediates are CAs that are not self signed, but are signed by another CA. those can be imported into the intermediate keystore, supplied by the server, or fetched by the browser from a reference in the server certificate (the new method)

End user (server) certificates do not have the CA bit set, but instead have a usage bit set to indicate they are able to encrypt keys, digitally sign, and protect traffic.

Now, if you want to avoid having to pay for your own server's certificate AND don't really care if anyone else gets the warning, as long as your own staff don't, then what you do is to create your own root CA (MS enterprise server software has a CA, as does novell, or  you can use the free tool at http://sourceforge.net/projects/xca )

Using this CA, you export the CA certificate (only) and then import a signing request from your server as though you were thawte. you then export the signed certificate back out from your CA and import it into your server.

by adding your own CA into your trusted CA keystore (and into that of any other machines, using group policy, manually by double.clicking a CER file, or by exporting the registry key and importing that however you do registry imports) the server cert will be trusted, as it is signed by a CA in your trusted root CA keystore.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now