A web server will send the public key of its server certificate to set up a SSL connection with the client. The client checks whether
- the certificate is still a valid in this point in time
- the name of the server matches the one in the certificate
- the certificate has been issued by an authority it trusts
The last check will fail when you self-issue a certificate for a web server. You can see so when you view the server certificate and its certification path.
This path should lead to a CA that is enlisted in the Trusted Root CA of the browser’s computer. Why should we trust some server that hands us self-issued certificates. Since the issuer could really be anyone, there is no trust relationship between them and someone we do trust, i.e. the ones we administered in the Trusted Root CA list.
Normally the administrator of the web server would request his/her server certificate from a trusted CA. But we self-issued the certificate for the purpose of identifying our own users. The computers of our users must be instructed to trust our certificates: both the web server’s and the client certificates.
The users can visit the Certificate Services site again. This time they will follow the link Download a CA Certificate, Certificate Chain or CRL from the homepage. The next page looks like this:
The users should click the top link Install this CA certificate chain, which will put the CA certificate in the list of Trusted Root CAs. They will be prompted with rather nasty dialogs, just like when installing client certificates.
BTW, you can view the Trusted Root CAs from Internet Explorer by selecting Internet Options, switch to the Content tab, Certificates.
Once that is out of the way, users will no longer be reminded or prompted when connecting over SSL to the server of not-so cool certificates. Also, all certificates will lose those nasty red crosses claiming that things are not OK.
A lot is OK now, but not all.