Help understanding Certificates and Trust
Hello Experts - I've been coming across a lot of certificate issues lately and I want to get a better handle on how they work and how to get computers in a Server 2008 domain to trust them. Here is a list of items using untrusted certificates that I'd like to get worked out:
1) VMware Vcenter
2) Cisco Anyconnect VPN
3) Cisco wireless guest network
4) Cisco wireless private network
Each issues their own certificate which we're using now but since they are not from a trusted authority we get prompted to accept them at each use. One thing I really don't understand: when the certificate is added to the local machine's certificate store in my mind it should be trusted now. Instead I still get prompted to accept the untrusted certificate even after a successful import.
So I must be missing something about how certificate trust works. In addition to that I'd like to understand how to enable computers in my domain to trust a self-signed certificate using group policy. I'd very much appreciate any tips or info on the topic, thanks!
1) VMware Vcenter
2) Cisco Anyconnect VPN
3) Cisco wireless guest network
4) Cisco wireless private network
Each issues their own certificate which we're using now but since they are not from a trusted authority we get prompted to accept them at each use. One thing I really don't understand: when the certificate is added to the local machine's certificate store in my mind it should be trusted now. Instead I still get prompted to accept the untrusted certificate even after a successful import.
So I must be missing something about how certificate trust works. In addition to that I'd like to understand how to enable computers in my domain to trust a self-signed certificate using group policy. I'd very much appreciate any tips or info on the topic, thanks!
ASKER
Ok, great explanation, thanks! Let me pose a question on this topic. If I wanted to use the self-signed SSL certificate that an ASA generates for use with an Anyconnect VPN how can I have my domain PCs trust it without having to confirm each time? Here is what I did which isn't working:
Connect to the VPN and get prompted to accept the certificate
When prompted I have the option to export the certificate
Export certificate to p7b style certificate
Copy certificate file over to my DC
Setup new group policy and followed these steps to add as a trusted certificate authority:
http://community.spiceworks.com/how_to/show/16832-installing-a-self-signed-certificate-on-workstations-with-group-policy-using-the-group-policy-management-console-gpmc
I still get prompted to confirm the certificate each time. This prevents certain features from working properly like group policy processing. Can you tell me what I'm doing wrong?
Connect to the VPN and get prompted to accept the certificate
When prompted I have the option to export the certificate
Export certificate to p7b style certificate
Copy certificate file over to my DC
Setup new group policy and followed these steps to add as a trusted certificate authority:
http://community.spiceworks.com/how_to/show/16832-installing-a-self-signed-certificate-on-workstations-with-group-policy-using-the-group-policy-management-console-gpmc
I still get prompted to confirm the certificate each time. This prevents certain features from working properly like group policy processing. Can you tell me what I'm doing wrong?
ASKER
Update: I verified that the group policy is working and I see the certificate in the list. I also tried manually adding the certificate to each of the available certificate stores but I still get prompted each time I attempt to connect.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got it: Issue certificate from CA, apply to device, automatically trusted. Thanks!
Then, any certificate they 'sign', your computer recoginizes that the certificate from website xyz.com is signed by them, therefore 'guaranteeing' that the owner of 'xyz.com' paid that trusted company to have their certificate produced. In the case of "Extended Validation" certificates, they even paid for their company to be checked out by the CA. ( http://en.wikipedia.org/wiki/Extended_Validation_Certificate )
Your computer on a domain 'trusts' the domain "CA" because the domain orders it to. Thereby delivering a copy of the Domain's CA's certificate to your computer, to allow you to sign certificates for internal use. Of course, this doesn't work for your websites you want external visitors to visit, as they don't know your domain's CA, or your domain (if you've done it right).
This means that if you have external visitors, you pay a 3rd party (as in, not you, not the visitor, but a 3rd person) CA to 'sign' the certificates for your website, meaning they can 'trust' you to be who you claim you are.
As for the matter of your machines not accepting the self signed certificates when you 'import' them, it might be a matter of where you imported them to. Your computer stores different types of certificates.. Ones that are Trusted 3rd Party CA's, ones that are intermediary signing CA's, or ones that are given directly to your computer by a site.. eg, the ones you are having trouble with. If you've imported them to the wrong type, thats where issues occur.
Either replace the Self Signed Certs from these with ones from your internal Domain CA (since they are mostly internal use) or from a 3rd Party CA if you expect external access, or follow the import instructions for each product to the letter.
Here's VMware's one: http://pubs.vmware.com/view-51/index.jsp#com.vmware.view.installation.doc/GUID-72922316-653D-4129-890F-3E62DF4F7A6B.html
Best of luck.