on 05-08-2014 11:07 PM
Dear SDN,
we are trying to establish an SSL environment in our Portal systems, however, by researching in this forum, it seems to me that the ONLY way to get over the "untrusted SSL certificate" warnings in our users browsers is to generate a Signed Certificate, by means of a Certification Authority.
Please, could someone tell me if this is correct?
Is there another way to fix the unpleasant messages of "untrusted certificate" in the Internet Explorer, after a proper setup of the SSL scenario?
Thank you.
As long as the certificate used to sign the certificate is trusted, you will not get the warning. Many customers choose to use internally signed certificates because of the extra cost involved in getting them signed by a CA. Having a PKI helps, you can distribute certificates automatically. Can you describe your infrastructure a bit more? Do you have Windows domain? Could you leverage Microsoft Certificate Services?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Samuli and colleagues,
we have our clients running IE 9 32bit, 256-bit coding level, on Windows 7.
We are now on DEV environment, no SSO, but next step is to integrate login with Windows (AD). We will also have Web Dispatcher, in a DMZ for external access, in which case it would be interesting to know if it is enough to treat the SSL only in the WD, or if it has to comprise all Web servers.
Sorry Samuli, what is PKI? And how to ensure that the Certificate used to sign the Certificate is trusted?
Thank you all.
PKI is short for Public Key Infrastructure. Since you have a Windows domain you should talk to your Windows admins about their capability of issuing certificates, with Microsoft Certificate Services for example. The certificate used to sign other certificates can be made trusted by installing it into all client browsers, applications, etc. as trusted. That can be either a manual, scripted or automated step depending what software capabilities your have.
Hi Fabio,
Since you are using Active Directory, your Windows/Network Administration group can setup a Microsoft Certificate Authority server (this is relatively easy to do), and you can use Group Policy to push the CA (Certificate Authority) certificate out as a trusted root authority to all the Internet Explorer browsers on workstations that are members of your Active Directory domain. This makes it automated, no logon script or manual intervention on workstations required. Then, you use your CA server to sign the certificate requests you generate from your Portal, and import the signed certificate back into the Portal. Your IE browsers will now trust the Portal's certificate, because it is signed by your internal CA, and the browsers trust the internal CA because that trust has been pushed out by Group Policy.
For your DMZ Web Dispatcher, however, you will need to get your certificate signed by a regular external CA, such as Thawte or Verisign, because you need it to be trusted by external clients who are not members of your domain, and to whom therefore you cannot push trust of your internal CA.
I hope this helps explain the process at a high level.
Regards,
Matt
Thank you! You should see a couple of buttons by each reply labeled "Helpful Answer" or "Correct Answer." Press "Helpful" for any and all replies that added to the discussion (they will earn their authors 5 points each.... you have a limit for how many you can award per message thread, but it's higher than the number of replies so far in this one). Press "Correct" for the one that was the ultimate answer. That will award 10 points and you can only do it once per question.
Welcome to gamification!
Hi
What is the OS(32 or 64) & IE Version ?
BR
SS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.