The need for Trusted Root Certificate Authorities

A web server will send the public key of its server certificate to set up a SSL connection with the client. The client checks whether



  • the certificate is still a valid in this point in time
  • the name of the server matches the one in the certificate
  • the certificate has been issued by an authority it trusts

The last check will fail when you self-issue a certificate for a web server. You can see so when you view the server certificate and its certification path.



This path should lead to a CA that is enlisted in the Trusted Root CA of the browser’s computer. Why should we trust some server that hands us self-issued certificates. Since the issuer could really be anyone, there is no trust relationship between them and someone we do trust, i.e. the ones we administered in the Trusted Root CA list.


Normally the administrator of the web server would request his/her server certificate from a trusted CA. But we self-issued the certificate for the purpose of identifying our own users. The computers of our users must be instructed to trust our certificates: both the web server’s and the client certificates.


The users can visit the Certificate Services site again. This time they will follow the link Download a CA Certificate, Certificate Chain or CRL from the homepage. The next page looks like this:



The users should click the top link Install this CA certificate chain, which will put the CA certificate in the list of Trusted Root CAs. They will be prompted with rather nasty dialogs, just like when installing client certificates.



BTW, you can view the Trusted Root CAs from Internet Explorer by selecting Internet Options, switch to the Content tab, Certificates.



Once that is out of the way, users will no longer be reminded or prompted when connecting over SSL to  the server of not-so cool certificates. Also, all certificates will lose those nasty red crosses claiming that things are not OK.



A lot is OK now, but not all.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s