windows server 2003 - WS2003 + IIS = Untrusted Certificate

12
2014-04
  • Riccardo

    I have configured a Windows 2003 server to allow SSL access from the Internet, particularly to enable so called Outlook Web Access, that is browse Exchange Server data from the Internet.

    Following steps from this site, I have achieved the goal creating a self issued certificate with built in W2K3 Certification Authority, FOLLOWING THE ADVICE to use THE SAME cname as the URL used to access the server from the Internet, that is the cname has been set to 'mydomain.com/exchange' because this is the URL used to access Exchange Server data from the Internet.

    Users are allowed to connect however they're facing the tedious untrusted certificate error. I have read a lot about this problem. It looks like this happens when: - the cname and the URL are not the same - the certificate has been issued by an untrusted certification authorithy

    To bypass this problem I have tried to force to workstations accessing the website to accept the certificate although not being issued from a well known certification authorithy, but the problem is still there.

    What can i try?

    EDIT:

    Although a warning is issued, navigation is allowed. These are the warnings I get:

    Google Chrome:

    The site's security certificate is not trusted You attempted to reach mydomain.com, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. (Proceed Anyway)

    Internet Explorer 9:

    *There is a problem with this website's security certificate The security certificate presented by this website was not issued by a trusted certificate authority.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. * (Continue to this website (not recommended). )

    Opera 11:

    The server's certificate chain is incomplete, and the signers are note registered. Accept? Certificate errors: The certificate for "mydomain.com/exchange/" is signed by the unknown Certificate Authority "WIN2003DC". It is not possible to verify that this is a valid certificate"

  • Answers
  • Scott

    If the server and the workstations are all members of the same Windows domain, you can create a Windows certificate authority for the domain and have it issue a certificate to the web server. The CA's root certificate will automatically be published in Active Directory and all computers that are part of the domain will trust that root certificate and any certificates issued by it. This allows your organization to issue its own certificates that are trusted by its own computers without having to pay some third party certificate authority. These certificates are obviously only trusted within your organization.

    If you don't have a domain or if the client computers are not part of your domain, than you need a certificate issued by a mutually trusted third party certificate authority. You'll have to pay them for the certificate.


  • Related Question

    What is the true level of danger when a SSL certificate is invalid?
  • Chris Pratt

    I'm relatively tech-savvy, but I'm no security expert. To my understanding, an invalid SSL certificate is only a problem if you're going to provide some sort of potentially exploitable information to a website and you are not sure that the website you're at is truly owned by the organization you believe it to be.

    I ask because my workplace uses content filtering that makes every SSL cert invalid. The browser sees the website as originating from the content filtering server on the network rather than the actual server the website is being served from. I'm tempted to simply turn off certificate checking altogether in my browser (Firefox) because it's not doing anything for me other than creating hassle, but I wanted to check to see if there's some facet of the issue I might be missing? I'm smart enough to ensure that the website I'm visiting is the website I think I'm visiting without the confirmation of the cert, so based on my understanding, I shouldn't have any problems.


  • Related Answers
  • Michael Urvan

    Basically with that kind of proxy, your employer can see even banking information and such via SSL because they have an unencrypted copy via the proxy. Your computer is requesting a webpage from the proxy server, and then your employer's proxy server is requesting the pages from the destination on your behalf, and the proxy software gets an unencrypted copy because it is in the middle. So the proxy can see the contents of every web page you see. The only way SSL is secure is when your PC and the destination PC talk directly via SSL.

    Your browser is correctly warning you that your information is not secure. I think that the connection between the three points is still using encryption, so the whole world can't see it - just your employer.

    One note to remember, even with SSL turned on properly, your employer can still see the URLs (in the browser address bar) that you go to. Most search engines like google place a lot of information in the URL (words you searched for, etc).

  • DrNoone

    The main problem, IMHO, is that your browser (or your client's browser) is always complaining about invalid certificates. If it happens once in a while, you go and check whether is an error or not. If it happens every time you stop checking. I mean, your information could be safe from sniffing because you're encrypting the communication channel, but you may be talking with a rogue server, and that could be easily exploited.