Help understanding Certificates and Trust

Hello Experts - I've been coming across a lot of certificate issues lately and I want to get a better handle on how they work and how to get computers in a Server 2008 domain to trust them.  Here is a list of items using untrusted certificates that I'd like to get worked out:

1) VMware Vcenter
2) Cisco Anyconnect VPN
3) Cisco wireless guest network
4) Cisco wireless private network

Each issues their own certificate which we're using now but since they are not from a trusted authority we get prompted to accept them at each use.  One thing I really don't understand:  when the certificate is added to the local machine's certificate store in my mind it should be trusted now.  Instead I still get prompted to accept the untrusted certificate even after a successful import.

So I must be missing something about how certificate trust works.  In addition to that I'd like to understand how to enable computers in my domain to trust a self-signed certificate using group policy.  I'd very much appreciate any tips or info on the topic, thanks!
First LastAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nathan PSystems ArchitectCommented:
Certificate trust works in that your computer has been pre-populated with the public certificates of trusted 3rd party "Certificate Authorities" (CA).  This includes the likes of Verisign, Entrust, etc...

Then, any certificate they 'sign', your computer recoginizes that the certificate from website is signed by them, therefore 'guaranteeing' that the owner of '' paid that trusted company to have their certificate produced.  In the case of "Extended Validation" certificates, they even paid for their company to be checked out by the CA.  ( )

Your computer on a domain 'trusts' the domain "CA" because the domain orders it to.  Thereby delivering a copy of the Domain's CA's certificate to your computer, to allow you to sign certificates for internal use.  Of course, this doesn't work for your websites you want external visitors to visit, as they don't know your domain's CA, or your domain (if you've done it right).

This means that if you have external visitors, you pay a 3rd party (as in, not you, not the visitor, but a 3rd person) CA to 'sign' the certificates for your website, meaning they can 'trust' you to be who you claim you are.

As for the matter of your machines not accepting the self signed certificates when you 'import' them, it might be a matter of where you imported them to.  Your computer stores different types of certificates.. Ones that are Trusted 3rd Party CA's, ones that are intermediary signing CA's, or ones that are given directly to your computer by a site.. eg, the ones you are having trouble with.  If you've imported them to the wrong type, thats where issues occur.

Either replace the Self Signed Certs from these with ones from your internal Domain CA (since they are mostly internal use) or from a 3rd Party CA if you expect external access, or follow the import instructions for each product to the letter.

Here's VMware's one:  

Best of luck.
First LastAuthor Commented:
Ok, great explanation, thanks!  Let me pose a question on this topic.  If I wanted to use the self-signed SSL certificate that an ASA generates for use with an Anyconnect VPN how can I have my domain PCs trust it without having to confirm each time?  Here is what I did which isn't working:

Connect to the VPN and get prompted to accept the certificate
When prompted I have the option to export the certificate
Export certificate to p7b style certificate
Copy certificate file over to my DC
Setup new group policy and followed these steps to add as a trusted certificate authority:

I still get prompted to confirm the certificate each time.  This prevents certain features from working properly like group policy processing.  Can you tell me what I'm doing wrong?
First LastAuthor Commented:
Update:  I verified that the group policy is working and I see the certificate in the list.  I also tried manually adding the certificate to each of the available certificate stores but I still get prompted each time I attempt to connect.
Nathan PSystems ArchitectCommented:
I'm going to take a guess...

So, if you are saving the certificate from the ASA, are you saving the endpoint certificate it gives you, or it's 'signer's certificate'.

I'll include a look at my vCenter's certificate inspection page.. See how it says it can't be verified up to a certificate authority?  

This means that it is just a certificate.   If you put this into your domain in the 'Trusted Root Certification Authorities', you're saying to the server that this is a certificate that SIGNS other certificates.. which is wrong, as it's just a certificate that is saying that is your vCenter/ASA, and that's it!

In short, because it wasn't signed by a root, you can't import the root certificate to be trusted.  

Best:  Replace the cert with one from your domain CA.  Then it's auto-trusted, no mess, no fuss.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
First LastAuthor Commented:
I got it:  Issue certificate from CA, apply to device, automatically trusted.  Thanks!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.