OWA certificate cannot be verified

R

RickyVene

I have been using 2003 standard certificate for almost two years and I have
renewed my OWA 2003 for the second year. I'm stiil having this problem with
Certificate Error on IE7. The error is " this certificate cannot be
verified...".

Actually I don't mind this before because according to the webcast of Kai if
you know your CA then you know it's legitimate cert. I even have this on my
eTrust 8.x console on the web, I've called support and they don't have
solution to the untrusted certificate error. But the problem is my boss and
my users. They're hard to please and give stupid feedback to me.

Can someone please give me some clue on how to make my certificate
legitimate to my users? Google/Live give so many links to these but not one
of them give right correct direction or maybe I haven't read to good solution
yet. Well I hope I will find something here.

Or do I need to go back to Verisign or Cybersource? Or even open source.

Thanks,
Ricky
 
R

RickyVene

OK.

I remember now on how to trust the certificate. You need to install the
root ca on the computer you use. I use my company laptop and it does the
trust on the certificate of the OWA. And I remeber that root CA is being
pushed automatic on the member computer. Non member is not, you need to do
it manually.

So I export the pfx root certificate on the non member computer accessing
outside and trust on the website is ok.

The question now, is this safe to install the root cert on a non member
computer? The validity of the root CA is five years with 2048 length.

Thanks,
Ricky

"RickyVene" wrote:

> I have been using 2003 standard certificate for almost two years and I have
> renewed my OWA 2003 for the second year. I'm stiil having this problem with
> Certificate Error on IE7. The error is " this certificate cannot be
> verified...".
>
> Actually I don't mind this before because according to the webcast of Kai if
> you know your CA then you know it's legitimate cert. I even have this on my
> eTrust 8.x console on the web, I've called support and they don't have
> solution to the untrusted certificate error. But the problem is my boss and
> my users. They're hard to please and give stupid feedback to me.
>
> Can someone please give me some clue on how to make my certificate
> legitimate to my users? Google/Live give so many links to these but not one
> of them give right correct direction or maybe I haven't read to good solution
> yet. Well I hope I will find something here.
>
> Or do I need to go back to Verisign or Cybersource? Or even open source.
>
> Thanks,
> Ricky
 
B

Brian Komar

Whoa!!!!
You do not have to install the PFX file. Do NOT INCLUDE THE PRIVATE KEY IN
THE EXPORT!
(I am yelling for your safety, not at you).

You need to deploy the .cer file (base64 or DER encoded both work). They
need to install the certificate into the trusted root store.
The easiest way is to deploy it through AD (if they are machine members).

certutil -dspublish -f certfile.cer RootCA
(this must be run by a forest root domain admin or by an enterprise admin)

If they are not domain members, certutil in a batch file is probably your
best bet.
certutil -addstore root certfile.cer
(this must be run by a local Administrator on the client computer)

In both cases, this adds the root CA certificate to the trusted root store.

You could also write directions on how to add the certificate to the user's
trusted root store using the certmgr.msc console.

But, never deploy the actual PFX file of the Web server certificate. If I
got this certificate, I could become your Web server on any version of *any*
OS that has a web server service.
Brian


"RickyVene" <RickyVene@discussions.microsoft.com> wrote in message
news:3E2BF73F-C630-4520-832C-8338A66CDB2B@microsoft.com...
> OK.
>
> I remember now on how to trust the certificate. You need to install the
> root ca on the computer you use. I use my company laptop and it does the
> trust on the certificate of the OWA. And I remeber that root CA is being
> pushed automatic on the member computer. Non member is not, you need to
> do
> it manually.
>
> So I export the pfx root certificate on the non member computer accessing
> outside and trust on the website is ok.
>
> The question now, is this safe to install the root cert on a non member
> computer? The validity of the root CA is five years with 2048 length.
>
> Thanks,
> Ricky
>
> "RickyVene" wrote:
>
>> I have been using 2003 standard certificate for almost two years and I
>> have
>> renewed my OWA 2003 for the second year. I'm stiil having this problem
>> with
>> Certificate Error on IE7. The error is " this certificate cannot be
>> verified...".
>>
>> Actually I don't mind this before because according to the webcast of Kai
>> if
>> you know your CA then you know it's legitimate cert. I even have this on
>> my
>> eTrust 8.x console on the web, I've called support and they don't have
>> solution to the untrusted certificate error. But the problem is my boss
>> and
>> my users. They're hard to please and give stupid feedback to me.
>>
>> Can someone please give me some clue on how to make my certificate
>> legitimate to my users? Google/Live give so many links to these but not
>> one
>> of them give right correct direction or maybe I haven't read to good
>> solution
>> yet. Well I hope I will find something here.
>>
>> Or do I need to go back to Verisign or Cybersource? Or even open source.
>>
>> Thanks,
>> Ricky
 
R

RickyVene

Mr. PKI,

So this is the safe way. Now I understand a little about extension PFX and
CER.

I deleted the PFX, as soon as I read this.

I guess, I have to read why verisign or thawte is trusted automatic on the
internet.

THANK YOU VERY MUCH,
Ricky

"Brian Komar" wrote:

> Whoa!!!!
> You do not have to install the PFX file. Do NOT INCLUDE THE PRIVATE KEY IN
> THE EXPORT!
> (I am yelling for your safety, not at you).
>
> You need to deploy the .cer file (base64 or DER encoded both work). They
> need to install the certificate into the trusted root store.
> The easiest way is to deploy it through AD (if they are machine members).
>
> certutil -dspublish -f certfile.cer RootCA
> (this must be run by a forest root domain admin or by an enterprise admin)
>
> If they are not domain members, certutil in a batch file is probably your
> best bet.
> certutil -addstore root certfile.cer
> (this must be run by a local Administrator on the client computer)
>
> In both cases, this adds the root CA certificate to the trusted root store.
>
> You could also write directions on how to add the certificate to the user's
> trusted root store using the certmgr.msc console.
>
> But, never deploy the actual PFX file of the Web server certificate. If I
> got this certificate, I could become your Web server on any version of *any*
> OS that has a web server service.
> Brian
>
>
> "RickyVene" <RickyVene@discussions.microsoft.com> wrote in message
> news:3E2BF73F-C630-4520-832C-8338A66CDB2B@microsoft.com...
> > OK.
> >
> > I remember now on how to trust the certificate. You need to install the
> > root ca on the computer you use. I use my company laptop and it does the
> > trust on the certificate of the OWA. And I remeber that root CA is being
> > pushed automatic on the member computer. Non member is not, you need to
> > do
> > it manually.
> >
> > So I export the pfx root certificate on the non member computer accessing
> > outside and trust on the website is ok.
> >
> > The question now, is this safe to install the root cert on a non member
> > computer? The validity of the root CA is five years with 2048 length.
> >
> > Thanks,
> > Ricky
> >
> > "RickyVene" wrote:
> >
> >> I have been using 2003 standard certificate for almost two years and I
> >> have
> >> renewed my OWA 2003 for the second year. I'm stiil having this problem
> >> with
> >> Certificate Error on IE7. The error is " this certificate cannot be
> >> verified...".
> >>
> >> Actually I don't mind this before because according to the webcast of Kai
> >> if
> >> you know your CA then you know it's legitimate cert. I even have this on
> >> my
> >> eTrust 8.x console on the web, I've called support and they don't have
> >> solution to the untrusted certificate error. But the problem is my boss
> >> and
> >> my users. They're hard to please and give stupid feedback to me.
> >>
> >> Can someone please give me some clue on how to make my certificate
> >> legitimate to my users? Google/Live give so many links to these but not
> >> one
> >> of them give right correct direction or maybe I haven't read to good
> >> solution
> >> yet. Well I hope I will find something here.
> >>
> >> Or do I need to go back to Verisign or Cybersource? Or even open source.
> >>
> >> Thanks,
> >> Ricky
>
>
 
B

Brian Komar

Verisign, thawte and others have been certified as commercial root
providers.
These links may give you more information on the WebTrust for CA parties
program.

http://support.microsoft.com/kb/931125
http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?mfr=true

Brian


"RickyVene" <RickyVene@discussions.microsoft.com> wrote in message
news:681BDE30-D2F8-4969-A08D-D7937E31DFBC@microsoft.com...
> Mr. PKI,
>
> So this is the safe way. Now I understand a little about extension PFX
> and
> CER.
>
> I deleted the PFX, as soon as I read this.
>
> I guess, I have to read why verisign or thawte is trusted automatic on the
> internet.
>
> THANK YOU VERY MUCH,
> Ricky
>
> "Brian Komar" wrote:
>
>> Whoa!!!!
>> You do not have to install the PFX file. Do NOT INCLUDE THE PRIVATE KEY
>> IN
>> THE EXPORT!
>> (I am yelling for your safety, not at you).
>>
>> You need to deploy the .cer file (base64 or DER encoded both work). They
>> need to install the certificate into the trusted root store.
>> The easiest way is to deploy it through AD (if they are machine members).
>>
>> certutil -dspublish -f certfile.cer RootCA
>> (this must be run by a forest root domain admin or by an enterprise
>> admin)
>>
>> If they are not domain members, certutil in a batch file is probably your
>> best bet.
>> certutil -addstore root certfile.cer
>> (this must be run by a local Administrator on the client computer)
>>
>> In both cases, this adds the root CA certificate to the trusted root
>> store.
>>
>> You could also write directions on how to add the certificate to the
>> user's
>> trusted root store using the certmgr.msc console.
>>
>> But, never deploy the actual PFX file of the Web server certificate. If I
>> got this certificate, I could become your Web server on any version of
>> *any*
>> OS that has a web server service.
>> Brian
>>
>>
>> "RickyVene" <RickyVene@discussions.microsoft.com> wrote in message
>> news:3E2BF73F-C630-4520-832C-8338A66CDB2B@microsoft.com...
>> > OK.
>> >
>> > I remember now on how to trust the certificate. You need to install
>> > the
>> > root ca on the computer you use. I use my company laptop and it does
>> > the
>> > trust on the certificate of the OWA. And I remeber that root CA is
>> > being
>> > pushed automatic on the member computer. Non member is not, you need
>> > to
>> > do
>> > it manually.
>> >
>> > So I export the pfx root certificate on the non member computer
>> > accessing
>> > outside and trust on the website is ok.
>> >
>> > The question now, is this safe to install the root cert on a non member
>> > computer? The validity of the root CA is five years with 2048 length.
>> >
>> > Thanks,
>> > Ricky
>> >
>> > "RickyVene" wrote:
>> >
>> >> I have been using 2003 standard certificate for almost two years and I
>> >> have
>> >> renewed my OWA 2003 for the second year. I'm stiil having this
>> >> problem
>> >> with
>> >> Certificate Error on IE7. The error is " this certificate cannot be
>> >> verified...".
>> >>
>> >> Actually I don't mind this before because according to the webcast of
>> >> Kai
>> >> if
>> >> you know your CA then you know it's legitimate cert. I even have this
>> >> on
>> >> my
>> >> eTrust 8.x console on the web, I've called support and they don't have
>> >> solution to the untrusted certificate error. But the problem is my
>> >> boss
>> >> and
>> >> my users. They're hard to please and give stupid feedback to me.
>> >>
>> >> Can someone please give me some clue on how to make my certificate
>> >> legitimate to my users? Google/Live give so many links to these but
>> >> not
>> >> one
>> >> of them give right correct direction or maybe I haven't read to good
>> >> solution
>> >> yet. Well I hope I will find something here.
>> >>
>> >> Or do I need to go back to Verisign or Cybersource? Or even open
>> >> source.
>> >>
>> >> Thanks,
>> >> Ricky
>>
>>
 
R

RickyVene

By the way, the certutil.exe is not available on XP by default so you can
right click and install the certificate and make sure you added this on
Trusted Root Certificate (just below personal folder). In Vista Enterprise
certutil is available immediately (I think).

Testing is the key, luckily I have four kids, I have five computers at home.

Thanks again and more power,
Ricky

"Brian Komar" wrote:

> Verisign, thawte and others have been certified as commercial root
> providers.
> These links may give you more information on the WebTrust for CA parties
> program.
>
> http://support.microsoft.com/kb/931125
> http://www.microsoft.com/technet/archive/security/news/rootcert.mspx?mfr=true
>
> Brian
>
>
> "RickyVene" <RickyVene@discussions.microsoft.com> wrote in message
> news:681BDE30-D2F8-4969-A08D-D7937E31DFBC@microsoft.com...
> > Mr. PKI,
> >
> > So this is the safe way. Now I understand a little about extension PFX
> > and
> > CER.
> >
> > I deleted the PFX, as soon as I read this.
> >
> > I guess, I have to read why verisign or thawte is trusted automatic on the
> > internet.
> >
> > THANK YOU VERY MUCH,
> > Ricky
> >
> > "Brian Komar" wrote:
> >
> >> Whoa!!!!
> >> You do not have to install the PFX file. Do NOT INCLUDE THE PRIVATE KEY
> >> IN
> >> THE EXPORT!
> >> (I am yelling for your safety, not at you).
> >>
> >> You need to deploy the .cer file (base64 or DER encoded both work). They
> >> need to install the certificate into the trusted root store.
> >> The easiest way is to deploy it through AD (if they are machine members).
> >>
> >> certutil -dspublish -f certfile.cer RootCA
> >> (this must be run by a forest root domain admin or by an enterprise
> >> admin)
> >>
> >> If they are not domain members, certutil in a batch file is probably your
> >> best bet.
> >> certutil -addstore root certfile.cer
> >> (this must be run by a local Administrator on the client computer)
> >>
> >> In both cases, this adds the root CA certificate to the trusted root
> >> store.
> >>
> >> You could also write directions on how to add the certificate to the
> >> user's
> >> trusted root store using the certmgr.msc console.
> >>
> >> But, never deploy the actual PFX file of the Web server certificate. If I
> >> got this certificate, I could become your Web server on any version of
> >> *any*
> >> OS that has a web server service.
> >> Brian
> >>
> >>
> >> "RickyVene" <RickyVene@discussions.microsoft.com> wrote in message
> >> news:3E2BF73F-C630-4520-832C-8338A66CDB2B@microsoft.com...
> >> > OK.
> >> >
> >> > I remember now on how to trust the certificate. You need to install
> >> > the
> >> > root ca on the computer you use. I use my company laptop and it does
> >> > the
> >> > trust on the certificate of the OWA. And I remeber that root CA is
> >> > being
> >> > pushed automatic on the member computer. Non member is not, you need
> >> > to
> >> > do
> >> > it manually.
> >> >
> >> > So I export the pfx root certificate on the non member computer
> >> > accessing
> >> > outside and trust on the website is ok.
> >> >
> >> > The question now, is this safe to install the root cert on a non member
> >> > computer? The validity of the root CA is five years with 2048 length.
> >> >
> >> > Thanks,
> >> > Ricky
> >> >
> >> > "RickyVene" wrote:
> >> >
> >> >> I have been using 2003 standard certificate for almost two years and I
> >> >> have
> >> >> renewed my OWA 2003 for the second year. I'm stiil having this
> >> >> problem
> >> >> with
> >> >> Certificate Error on IE7. The error is " this certificate cannot be
> >> >> verified...".
> >> >>
> >> >> Actually I don't mind this before because according to the webcast of
> >> >> Kai
> >> >> if
> >> >> you know your CA then you know it's legitimate cert. I even have this
> >> >> on
> >> >> my
> >> >> eTrust 8.x console on the web, I've called support and they don't have
> >> >> solution to the untrusted certificate error. But the problem is my
> >> >> boss
> >> >> and
> >> >> my users. They're hard to please and give stupid feedback to me.
> >> >>
> >> >> Can someone please give me some clue on how to make my certificate
> >> >> legitimate to my users? Google/Live give so many links to these but
> >> >> not
> >> >> one
> >> >> of them give right correct direction or maybe I haven't read to good
> >> >> solution
> >> >> yet. Well I hope I will find something here.
> >> >>
> >> >> Or do I need to go back to Verisign or Cybersource? Or even open
> >> >> source.
> >> >>
> >> >> Thanks,
> >> >> Ricky
> >>
> >>
>
>
 
You must log in or register to reply here.

Similar threads

F
Cant get Enterprise Certificate pinning to work?
Replies
0
Views
25
FredrikI75
F
N
Enrollment of certificate producing error 0x800706be
Replies
0
Views
28
Nicholas Farmer
N
D
WE get a certificate error when logging in with remote desktop
Replies
0
Views
67
Doug Poulin (dougp)
D
Y
"Your request cannot be completed right now"
Replies
0
Views
25
Yehuda Malka
Y
S
DigitCert SMIME certificate cannot be exported. Personal Information Exchange - PKCS #12 (.PFX) option was greyed out in export wizard
Replies
0
Views
81
Sharkbone(I)
S
Back
Top Bottom