Trusted CA question

[620]

I'm new to this certificate game so bear with me here:

I've established a windows domain, 'somedomain.com'. To this, I've added an
IIS box and named it 'www'. The IIS box's fully qualified name is
'www.somedomain.com' and it faces both the internet and intranet,
dual-nic'd. 'www.somedomain.com' is publically registered to the IIS box's
public IP on it's public-side nic, from where a company web site is served.

I need secure communications on the IIS box over the net. Because the
external clients accessing the IIS box are stictly employees and clients, I
don't really need a "trusted" verisign cert to assure anonymous ecommerce
visitors of my authenticity, etc. My web visitors already "trust" me in
that regard. I just need SSL turned on to protect some data transmissions
with people who already trust me, on a human level anyway. So I installed
certificate services on the IIS box (at which point it issued it's own 'root
CA' cert to itself, or so I've managed to ascertain) and then browsed to my
own certsrv web service and, via that interface, issued myself a certificate
for conducting SSL web transactions. So now the IIS box has 2 certs, one
for being the root and one for the site, and in the IIS manager I attached
the SSL cert to the website and turned on SSL. So far, this all appears to
working as intended - well sort of.

Initially, when an internal client accesses the website, there is a security
alert - the certificate's date is ok, and the name matches, but it's not
from a trusted root CA. Which makes sense, because 'www.somedomain.com'
isn't on IE's default list of trusted CA's. But that's OK, because I could
go into the advanced dialog of the alert message, view the certificate path,
and choose to install 'www.somedomain.com' root CA cert into the client's
local store of trusted issuing CAs. Alert message solved, browser is happy
with my certs.

From the internet, external testing is popping up the same message just as
I'd expect. But! And finally we reach my problem - the certificate path
only shows the site's SSL cert - the issuing CA cert is not there. The path
consists of 1 cert, not 2.

My questions are:

Why is the cert path "incomplete" when accessing the site externally (i.e.
from the web). Is this a naming/scope issue?

Is there a best practice to get my root CA cert installed on the web
clients? Preferably something a user could do, given some brief
instructions...

TIA

 

[David Cross [MS]]

I wish I could give you an easy answer for this one - there is no simple
solution to deploy trusted roots outside of the default roots that are
trusted in the operating system or those that you distribute through group
policy in AD.

 

[Andrew Mitchell]

Why is the cert path "incomplete" when accessing the site externally
(i.e. from the web). Is this a naming/scope issue?

It sounds like your CA is on a host that's listed on your internal DNS, but
is not an internet facing machine.
As the external client cannot resolve the host name of the root CA, it cannot
be verified and fails.

Is there a best practice to get my root CA cert installed on the web
clients?

I'm having the same problem at the moment. The only two options I can think
of are to install the root CA on the web server (which I don't want to do) or
buy a 'real' certificate.
www.freessl.com are selling them at $98 for 3 years which seems reasonable.

Andy.

 

[Steven L Umbach]

I suppose you could email the CA certificate [public key] to those who need
it after exporting it to a .cer file? Not an elegant solutution but it may
be something to look into. Clicking the .cer file should bring up the
certificate install wizard. --- Steve

I wish I could give you an easy answer for this one - there is no simple
solution to deploy trusted roots outside of the default roots that are
trusted in the operating system or those that you distribute through group
policy in AD.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

I'm new to this certificate game so bear with me here:

I've established a windows domain, 'somedomain.com'. To this, I've

added

an
IIS box and named it 'www'. The IIS box's fully qualified name is
'www.somedomain.com' and it faces both the internet and intranet,
dual-nic'd. 'www.somedomain.com' is publically registered to the IIS box's
public IP on it's public-side nic, from where a company web site is served.

I need secure communications on the IIS box over the net. Because the
external clients accessing the IIS box are stictly employees and

clients,

I
don't really need a "trusted" verisign cert to assure anonymous ecommerce
visitors of my authenticity, etc. My web visitors already "trust" me in
that regard. I just need SSL turned on to protect some data transmissions
with people who already trust me, on a human level anyway. So I installed
certificate services on the IIS box (at which point it issued it's own 'root
CA' cert to itself, or so I've managed to ascertain) and then browsed to my
own certsrv web service and, via that interface, issued myself a certificate
for conducting SSL web transactions. So now the IIS box has 2 certs, one
for being the root and one for the site, and in the IIS manager I attached
the SSL cert to the website and turned on SSL. So far, this all appears to
working as intended - well sort of.

Initially, when an internal client accesses the website, there is a security
alert - the certificate's date is ok, and the name matches, but it's not
from a trusted root CA. Which makes sense, because 'www.somedomain.com'
isn't on IE's default list of trusted CA's. But that's OK, because I could
go into the advanced dialog of the alert message, view the certificate path,
and choose to install 'www.somedomain.com' root CA cert into the client's
local store of trusted issuing CAs. Alert message solved, browser is happy
with my certs.

From the internet, external testing is popping up the same message just as
I'd expect. But! And finally we reach my problem - the certificate path
only shows the site's SSL cert - the issuing CA cert is not there. The path
consists of 1 cert, not 2.

My questions are:

Why is the cert path "incomplete" when accessing the site externally (i.e.
from the web). Is this a naming/scope issue?

Is there a best practice to get my root CA cert installed on the web
clients? Preferably something a user could do, given some brief
instructions...

TIA