Generating SSL certificates using Microsoft 2003 Standalone CA

cdesk458
cdesk458 used Ask the Experts™
on
I would like to generate my own SSL certificates.  This will be used for testing internal IIS and WCF based applications.  While i can create a self-signed certificate, that is not an accurate test for what our user will experience when installing our software in public and adding a production ssl certificate.  

My question is: Will the Microsoft 2003 Standalone CA allow me to create certificates that will be trusted by all browsers??

If the answer is yes, then do I need to update the root certificate that is used by my Standalone CA?

If the answer is yes, how do I do that?  

Im guessing that I get a certificate from a VeriSign and then install it in my CA.  Then the certificates that I generate will be “trusted”since,  people who goto my website will see that the certificate was generated by my company and VeriSign trusts me.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
> My question is: Will the Microsoft 2003 Standalone CA allow me to create certificates that will be trusted by all browsers??

Yes, but not directly, you will need to install the root CA certificate of your CA to the Trusted Root Certificates store of each computer.

> If the answer is yes, then do I need to update the root certificate that is used by my Standalone CA?

No actions are required regarding the CA certificate itself.

> If the answer is yes, how do I do that?

First you need to export the root CA cert: http://support.microsoft.com/kb/555252

Then you need to deploy that somehow to the clients, either using a GPO: http://support.microsoft.com/kb/555252 or manually: http://www.isaserver.org/img/upl/exchangekit/importrootca/importrootca.htm

> Im guessing that I get a certificate from a VeriSign and then install it in my CA.  Then the certificates that I generate will be “trusted”since,  people who goto my website will see that the certificate was generated by my company and VeriSign trusts me.

This is not possible. VeriSign will not allow you to create trusted "VeriSign" certificates. You can either "tell" all your computers that the certificates from your own CA are trusted by installing your root CA cert, or buying certificates from a company that is by default in the trusted root certificates list.
Distinguished Expert 2017

Commented:
A self signed certificate is only trusted by self by default and the AD in which the CA is installed.
i.e. if I can issue myself a luminated card saying, I am the best driver, will others see it as valid?

For testing purposes it is a valid test.  All a certificate does is "Authenticate the destination to the user" The encryption functionally remains the same, whether the certificate in use is signed by a trusted CA, Verisign, Godaddy, Thwate, Geotrust, etc. or is a self signed when testing on a network/system to which the Self-Signed certificate's CA is added as trusted locally.

Unless you get the delegated trust certificate, getting a certificate for mydomain.com will not let you use this certificate to sign others. I.e. you have to get a Certificate that can be used as a signing authority (delegated) from the initial signer
i.e. the path will be one of the known trusted  CAs Verisign, Godaddy, thwate, geotrust, etc.
then your intermediate Certificate and then the end user certificate.
This way your trust is derived/inherited from the Top CA that signed your certificate.  
This type of certificate is expensive since you can then issue certificates to everyone and they will be globally trusted. If such a certificate is sold, it is very expensive and you would have to satisfy the rules/requirements of the Signing CA. I.e. you would have the liability if you issue  (sign) a certificate without validating the request is coming from an authorized person.owner of the underlying domain. i.e. to avoid the same thing that recently happened when www.google.com, www.yahoo.com, certificates were issued to a party to which the underlying domains did not belong. (windows update with a revocation list was pushed to avoid having users become victims of fraud)


 
Exec Consultant
Distinguished Expert 2018
Commented:
by default, all own created CA cert regardless it is enterprise or standalone CA, they are never within the trusted root cert and hence the browser will have the standard prompt of untrusted unknown publisher.

To be more specific, only the Root CA must be trusted by placing its certificate in the Trusted Root CAs . The sub- CAs ' certificates must only be available at the time client is trying to validate the chain. this means , that the sub- CAs ' certificates must be either locally installad into Intermediate CAs store , or their certificates must be accessible online throught paths found in the LEAF and their own AIA extenstions (if present ). you can also check the paths access by using CERTUTIL - URL appl-server-cert.cer
below is one link that explain more

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/f411cbc0-a198-40ba-aca1-2c2b36078134/

Also, specifically for machine and user cert, they are in different store and browser will retrieve it accordingly. Eg. depending on the user who logs into the computer IE will display their Certificate Store . So if the localsystem account were to use IE for some reason it would be the Local Computer's store . But if your user account accesses it , it would display your store.

As for the verisign, its usage is probably to have it sign your actual cert that is not within the trusted root. in other word, your CA is actually an intermediate issuing CA server. That can done online by pasting your pub cert encoded binary, but rather going through such hassle, you may just go for verisign directly, if it is for small  deployment since there maybe a fee.

just some thoughts

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial