6
620
I'm new to this certificate game so bear with me here:
I've established a windows domain, 'somedomain.com'. To this, I've added an
IIS box and named it 'www'. The IIS box's fully qualified name is
'www.somedomain.com' and it faces both the internet and intranet,
dual-nic'd. 'www.somedomain.com' is publically registered to the IIS box's
public IP on it's public-side nic, from where a company web site is served.
I need secure communications on the IIS box over the net. Because the
external clients accessing the IIS box are stictly employees and clients, I
don't really need a "trusted" verisign cert to assure anonymous ecommerce
visitors of my authenticity, etc. My web visitors already "trust" me in
that regard. I just need SSL turned on to protect some data transmissions
with people who already trust me, on a human level anyway. So I installed
certificate services on the IIS box (at which point it issued it's own 'root
CA' cert to itself, or so I've managed to ascertain) and then browsed to my
own certsrv web service and, via that interface, issued myself a certificate
for conducting SSL web transactions. So now the IIS box has 2 certs, one
for being the root and one for the site, and in the IIS manager I attached
the SSL cert to the website and turned on SSL. So far, this all appears to
working as intended - well sort of.
Initially, when an internal client accesses the website, there is a security
alert - the certificate's date is ok, and the name matches, but it's not
from a trusted root CA. Which makes sense, because 'www.somedomain.com'
isn't on IE's default list of trusted CA's. But that's OK, because I could
go into the advanced dialog of the alert message, view the certificate path,
and choose to install 'www.somedomain.com' root CA cert into the client's
local store of trusted issuing CAs. Alert message solved, browser is happy
with my certs.
From the internet, external testing is popping up the same message just as
I'd expect. But! And finally we reach my problem - the certificate path
only shows the site's SSL cert - the issuing CA cert is not there. The path
consists of 1 cert, not 2.
My questions are:
Why is the cert path "incomplete" when accessing the site externally (i.e.
from the web). Is this a naming/scope issue?
Is there a best practice to get my root CA cert installed on the web
clients? Preferably something a user could do, given some brief
instructions...
TIA
I've established a windows domain, 'somedomain.com'. To this, I've added an
IIS box and named it 'www'. The IIS box's fully qualified name is
'www.somedomain.com' and it faces both the internet and intranet,
dual-nic'd. 'www.somedomain.com' is publically registered to the IIS box's
public IP on it's public-side nic, from where a company web site is served.
I need secure communications on the IIS box over the net. Because the
external clients accessing the IIS box are stictly employees and clients, I
don't really need a "trusted" verisign cert to assure anonymous ecommerce
visitors of my authenticity, etc. My web visitors already "trust" me in
that regard. I just need SSL turned on to protect some data transmissions
with people who already trust me, on a human level anyway. So I installed
certificate services on the IIS box (at which point it issued it's own 'root
CA' cert to itself, or so I've managed to ascertain) and then browsed to my
own certsrv web service and, via that interface, issued myself a certificate
for conducting SSL web transactions. So now the IIS box has 2 certs, one
for being the root and one for the site, and in the IIS manager I attached
the SSL cert to the website and turned on SSL. So far, this all appears to
working as intended - well sort of.
Initially, when an internal client accesses the website, there is a security
alert - the certificate's date is ok, and the name matches, but it's not
from a trusted root CA. Which makes sense, because 'www.somedomain.com'
isn't on IE's default list of trusted CA's. But that's OK, because I could
go into the advanced dialog of the alert message, view the certificate path,
and choose to install 'www.somedomain.com' root CA cert into the client's
local store of trusted issuing CAs. Alert message solved, browser is happy
with my certs.
From the internet, external testing is popping up the same message just as
I'd expect. But! And finally we reach my problem - the certificate path
only shows the site's SSL cert - the issuing CA cert is not there. The path
consists of 1 cert, not 2.
My questions are:
Why is the cert path "incomplete" when accessing the site externally (i.e.
from the web). Is this a naming/scope issue?
Is there a best practice to get my root CA cert installed on the web
clients? Preferably something a user could do, given some brief
instructions...
TIA