Solved

Certficate Overview and Problem

Posted on 2011-03-09
1
406 Views
Last Modified: 2012-05-11
I regards to that anoying invalid certficate warning that IE provides when accessing my own server (see picture):

I have a general question regarding certificates.  I understand the whole public key/private key thing.  I understand a server issues a SSL certficate and that the server can self create its certficate. I understand that there are authorities that verify the owners of the certficates because they know the private key that goes with the public key.  So please don't provide those answers as part of my question.

My question is 1)  Is there an genral overview that presents more clearly what all the different types of certficates are in the internet explorer/windows are?
Ie what are Intermediate CA, Trusted Root Certification A, Trusted Publisers.  What is the difference between them?

I have a server that I know is good.  I put it togeher. I created the certficate.  I know the keys.  Why can't I just install that certficate in "Trusted Publishers" "Intermediate CA", or "Trusted Root CA"?

I don't want to pay verisign or thwate for menial task that takes very little processing time.

What piece of knowledge am I missing?  What don't I understand?

Sincerely,
Dan


CertificateQuestionPicture.jpg
0
Comment
Question by:dwkrueger
1 Comment
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 35087180
Usually, a browser won't accept a self signed server certificate into the store, no matter how hard you try.

Ignore Trusted Publisher for now, its not applicable. the three you need to manage are the end server certificate, the intermediate (if any) and the root CA.

Root CAs are self signed certificates that have the CA bit set. they are imported into the trusted root CA keystore.

Intermediates are CAs that are not self signed, but are signed by another CA. those can be imported into the intermediate keystore, supplied by the server, or fetched by the browser from a reference in the server certificate (the new method)

End user (server) certificates do not have the CA bit set, but instead have a usage bit set to indicate they are able to encrypt keys, digitally sign, and protect traffic.

Now, if you want to avoid having to pay for your own server's certificate AND don't really care if anyone else gets the warning, as long as your own staff don't, then what you do is to create your own root CA (MS enterprise server software has a CA, as does novell, or  you can use the free tool at http://sourceforge.net/projects/xca )

Using this CA, you export the CA certificate (only) and then import a signing request from your server as though you were thawte. you then export the signed certificate back out from your CA and import it into your server.

by adding your own CA into your trusted CA keystore (and into that of any other machines, using group policy, manually by double.clicking a CER file, or by exporting the registry key and importing that however you do registry imports) the server cert will be trusted, as it is signed by a CA in your trusted root CA keystore.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now