Unable to install certificate

Devilsbane

Where I would, our parent company is overseas. Some of our employees access some of their "internal" websites. I put quotes on internal because they are external, but they have been signed using private certificates.

Well over here, we don't trust their CA (Why, I'm not sure. I tried to get the ball rolling on a widescale trust, but it didn't get anywhere). So I figure that we can try this on a user basis. I click continue (not recommended) and the site shows up. I go to view certificate, and go over to the certification path. First I viewed and installed the root certificate. Then I went and installed the certificate for that page.

So now when I go over to the certification path, the red X's are gone, and it says This certificate is ok. But back on the general tab it says "This certificate cannot be verified up to a trusted certification authority."

So I don't know where to go from here...

RomBUS

Perhaps they have a stand-alone CA and they need to approve you manually? Just a guess...

Devilsbane

RomBUS wrote: »

Perhaps they have a stand-alone CA and they need to approve you manually? Just a guess...

I'm not requesting a certificate, I just want to trust that CA. You shouldn't need approval to trust a CA or Verisign would be going nuts with people wanting to trust them.

motogpman

Our Cisco ASA and our ADT admin web page will create session certs, even if you manually download the cert, it will always stop at the same page you are describing. Can you contact the admin who set up the CA? I am going to assume that the users account has rights to accept the certs? Just throwing things out there as possiblities.

Are you looking at the certificate via the IE browser or from the certificates mmc snapin? I would set up the MS mmc to show user/local pc mmc's and look in there to see if you can find something. It's hard to relay in a thread, too bad we couldn't see some screen shots of the windows you are looking at.

RobertKaucher

Devilsbane wrote: »

I'm not requesting a certificate, I just want to trust that CA. You shouldn't need approval to trust a CA or Verisign would be going nuts with people wanting to trust them.

Actually you do, kind of. Nothing to do with an AD trust, though. But all the major browsers have certs for the major CA issues pre-installed.

Can't you create a GPO that automatically installs their root CA certificate in the browers stores of your PCs?

Edit: here it is: http://technet.microsoft.com/en-us/library/cc738131(WS.10).aspx

Devilsbane

RobertKaucher wrote: »

Actually you do, kind of. Nothing to do with an AD trust, though. But all the major browsers have certs for the major CA issues pre-installed.

Can't you create a GPO that automatically installs their root CA certificate in the browers stores of your PCs?

Edit: here it is: Add a trusted root certification authority to a Group Policy object: Security Configuration Editor

I don't have access to group policies. But I did install the certificate to my own machine using both the install wizard and manually importing it into the MMC snapin.

I don't want to expose too much, but I did include a couple screenshots of what I'm looking at. I don't understand why the Certification path looks good, but it can't be verified in the general tab.

willhi1979

I think it means that the root CA isn't in your trusted CA. I think you'd need to import the root CA into the trusted CAs. Verisign and common root CAs are already included there.

Devilsbane

willhi1979 wrote: »

I think it means that the root CA isn't in your trusted CA. I think you'd need to import the root CA into the trusted CAs. Verisign and common root CAs are already included there.

I viewed the Infrastructure3 CA cert and installed that one. I also manually imported it into the trusted root store using MMC.

I don't get it. Before I did that both certs had red x's in the path screen. Now it appears that they are both trusted, but the general tab says otherwise...

RobertKaucher

Devilsbane wrote: »

I viewed the Infrastructure3 CA cert and installed that one. I also manually imported it into the trusted root store using MMC.

I don't get it. Before I did that both certs had red x's in the path screen. Now it appears that they are both trusted, but the general tab says otherwise...

Any hacker can generate a web server certificate for any domain name they choose. All you need is a CA, running on WIn Server, for example. Once you have created a CA you can then issue a web server certificate for GoliathNationalBank.com. If you can place a DNS server between a person who banks at Goliath you could run a fake banking system. I'm sure you have heard of this type of man-in-the-middle attack. One thing that prevents this from working is that my browser does not trust the root CA that the hacker has established.

So if you install the web server certificate for the fake GoliathNationalBank.com web site, you might not get a red bar saying I don't trust this certificate, but your browser will never fully trust the certificate as it cannot verify who published the web server certificate in the first place. If, via a GPO, you could install the root CA certificate as a trusted cert on the client, this attack would work.

The issue you are experiencing is that the web server cert you are looking at is accepted as valid, but IE cannot verify who published it. So there are two levels of trust:
1. The user has created an exception for this web server certificate.
2. An admin has published the root CA certificate in the trusted store of root CA certificates.

If number two is true, then the web server certificate needs no exception because the client is able to use the root CA's public key certificate to verify the web server's certificate. You have not fulfilled the second condition, so the web server's cert will never be verified.

Edit: While you may not have access to create a GPO, if this is truely a problem that your users are experiencing repeatedly, you might want to write up an email explaining the situation and steps that could be taken for your boss. PKI is not something normal admins readily understand and could show that you have valuable, high-level knowledge of both PKI and GPOs.

Devilsbane

So even though I have used the MMC snapin to install the root cert in my trusted root store, it won't trust it?

And you are saying the only way I can verify this server is to add it into a GPO?

I intend to take this home when I have time and play with it. I might not have access to GPO's here, but I certainly do in my own lab. Maybe you're right, I should go home and design a solution, and then present it to somebody here...

Devilsbane

I tried installing the infrastructure 3 cert to the trusted roots again, and I looked at it. It isn't in the store despite being installed.

I also looked over the certificate, and it isn't for the root at all. (Take a look at the attached image).

Do you see that the infrastructure 3 certificate was issued by root ca II. I was taking the infrastructure3 cert as the root because it was at the top of the path. But apparently this isn't the case. The root is above that, and apparently I can't get access to it...

earweed

Is the root CA offline? I'm not sure if this should cause a problem but I'm actually kind of interested now in your problem.

RobertKaucher

Devilsbane wrote: »

I tried installing the infrastructure 3 cert to the trusted roots again, and I looked at it. It isn't in the store despite being installed.

I also looked over the certificate, and it isn't for the root at all. (Take a look at the attached image).

Do you see that the infrastructure 3 certificate was issued by root ca II. I was taking the infrastructure3 cert as the root because it was at the top of the path. But apparently this isn't the case. The root is above that, and apparently I can't get access to it...

That is correct. You only have the web server certificate. You would have to request an exported copy of their public key certificate. An admin would ideally then import it into the domain clients/servers via the GPO.

Edit: I re-read your message and want to add something: this certificate is not the public key cert for infrastructure3 CA. It was issued by infrastructure3 CA. It is either a server certificate or a web server certificate.

Look at the third image on this page:
http://www.omnisecu.com/security/public-key-infrastructure/how-import-root-ca-certificate-trusted-root-certification-authorities.htm

Notice the issued to and issued by and the purposes.
@Earweed, it is not an issue of being offline. There appears to be no trust between Devil's domain and the domain of the CA in question. Even if the CA were sitting right next to Devil and plugged into a network drop next to his workstation, it would not matter.

Devilsbane

Darn. Unfortunately we don't have much contact with the parent company, but I am going to send the admin listed in the certificate an email, maybe he will deliver.

Hopefully he speaks english...

Devilsbane

Ha, I did it!

I viewed the Infrastructure cert, clicked on issuer statement, and then more info. That linked me to a page with information about it. I used babelfish to translate the page to English and found the .cer file for the rootca2

I downloaded it and imported it into the trusted root ca store and accepted the giant warning message. I can now access the sire with no notifications.

Thank you all for the help and support!

RobertKaucher

Devilsbane wrote: »

Ha, I did it!

I viewed the Infrastructure cert, clicked on issuer statement, and then more info. That linked me to a page with information about it. I used babelfish to translate the page to English and found the .cer file for the rootca2

I downloaded it and imported it into the trusted root ca store and accepted the giant warning message. I can now access the sire with no notifications.

Thank you all for the help and support!

Cool, based on the purposes I did not think that would work! I learned too!

Devilsbane

So why doesn't the Root CA show up in the certification path?

RobertKaucher

It does not need to. My understanding is that intermediate CA certificates can verify any of the certificates issued in the PKI.

willhi1979

Cool, glad you figured it out! Also, glad that I wasn't completely crazy in suggesting what I did.

RobertKaucher

willhi1979 wrote: »

I think it means that the root CA isn't in your trusted CA. I think you'd need to import the root CA into the trusted CAs. Verisign and common root CAs are already included there.

willhi1979 wrote: »

Cool, glad you figured it out! Also, glad that I wasn't completely crazy in suggesting what I did.

You were spot on!