cdesk458
asked on
Generating SSL certificates using Microsoft 2003 Standalone CA
I would like to generate my own SSL certificates. This will be used for testing internal IIS and WCF based applications. While i can create a self-signed certificate, that is not an accurate test for what our user will experience when installing our software in public and adding a production ssl certificate.
My question is: Will the Microsoft 2003 Standalone CA allow me to create certificates that will be trusted by all browsers??
If the answer is yes, then do I need to update the root certificate that is used by my Standalone CA?
If the answer is yes, how do I do that?
Im guessing that I get a certificate from a VeriSign and then install it in my CA. Then the certificates that I generate will be “trusted”since, people who goto my website will see that the certificate was generated by my company and VeriSign trusts me.
My question is: Will the Microsoft 2003 Standalone CA allow me to create certificates that will be trusted by all browsers??
If the answer is yes, then do I need to update the root certificate that is used by my Standalone CA?
If the answer is yes, how do I do that?
Im guessing that I get a certificate from a VeriSign and then install it in my CA. Then the certificates that I generate will be “trusted”since, people who goto my website will see that the certificate was generated by my company and VeriSign trusts me.
A self signed certificate is only trusted by self by default and the AD in which the CA is installed.
i.e. if I can issue myself a luminated card saying, I am the best driver, will others see it as valid?
For testing purposes it is a valid test. All a certificate does is "Authenticate the destination to the user" The encryption functionally remains the same, whether the certificate in use is signed by a trusted CA, Verisign, Godaddy, Thwate, Geotrust, etc. or is a self signed when testing on a network/system to which the Self-Signed certificate's CA is added as trusted locally.
Unless you get the delegated trust certificate, getting a certificate for mydomain.com will not let you use this certificate to sign others. I.e. you have to get a Certificate that can be used as a signing authority (delegated) from the initial signer
i.e. the path will be one of the known trusted CAs Verisign, Godaddy, thwate, geotrust, etc.
then your intermediate Certificate and then the end user certificate.
This way your trust is derived/inherited from the Top CA that signed your certificate.
This type of certificate is expensive since you can then issue certificates to everyone and they will be globally trusted. If such a certificate is sold, it is very expensive and you would have to satisfy the rules/requirements of the Signing CA. I.e. you would have the liability if you issue (sign) a certificate without validating the request is coming from an authorized person.owner of the underlying domain. i.e. to avoid the same thing that recently happened when www.google.com, www.yahoo.com, certificates were issued to a party to which the underlying domains did not belong. (windows update with a revocation list was pushed to avoid having users become victims of fraud)
i.e. if I can issue myself a luminated card saying, I am the best driver, will others see it as valid?
For testing purposes it is a valid test. All a certificate does is "Authenticate the destination to the user" The encryption functionally remains the same, whether the certificate in use is signed by a trusted CA, Verisign, Godaddy, Thwate, Geotrust, etc. or is a self signed when testing on a network/system to which the Self-Signed certificate's CA is added as trusted locally.
Unless you get the delegated trust certificate, getting a certificate for mydomain.com will not let you use this certificate to sign others. I.e. you have to get a Certificate that can be used as a signing authority (delegated) from the initial signer
i.e. the path will be one of the known trusted CAs Verisign, Godaddy, thwate, geotrust, etc.
then your intermediate Certificate and then the end user certificate.
This way your trust is derived/inherited from the Top CA that signed your certificate.
This type of certificate is expensive since you can then issue certificates to everyone and they will be globally trusted. If such a certificate is sold, it is very expensive and you would have to satisfy the rules/requirements of the Signing CA. I.e. you would have the liability if you issue (sign) a certificate without validating the request is coming from an authorized person.owner of the underlying domain. i.e. to avoid the same thing that recently happened when www.google.com, www.yahoo.com, certificates were issued to a party to which the underlying domains did not belong. (windows update with a revocation list was pushed to avoid having users become victims of fraud)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, but not directly, you will need to install the root CA certificate of your CA to the Trusted Root Certificates store of each computer.
> If the answer is yes, then do I need to update the root certificate that is used by my Standalone CA?
No actions are required regarding the CA certificate itself.
> If the answer is yes, how do I do that?
First you need to export the root CA cert: http://support.microsoft.com/kb/555252
Then you need to deploy that somehow to the clients, either using a GPO: http://support.microsoft.com/kb/555252 or manually: http://www.isaserver.org/img/upl/exchangekit/importrootca/importrootca.htm
> Im guessing that I get a certificate from a VeriSign and then install it in my CA. Then the certificates that I generate will be “trusted”since, people who goto my website will see that the certificate was generated by my company and VeriSign trusts me.
This is not possible. VeriSign will not allow you to create trusted "VeriSign" certificates. You can either "tell" all your computers that the certificates from your own CA are trusted by installing your root CA cert, or buying certificates from a company that is by default in the trusted root certificates list.