No announcement yet.

2003 CA - Trusted Root Certificate Authority?

  • Filter
  • Time
  • Show
Clear All
new posts

  • 2003 CA - Trusted Root Certificate Authority?

    Hi all,

    I'm having a problem creating a root trust certificate on a Windows 2003 server running Exchange 2003. I want to use it to configure RPC over HTTP for Outlook clients. I have 4 servers running 2003, one is GC, 2 others are additional domain controllers including the Exchange server. The Exchange server is on the same location as the GC, the other is in another country. The GC is also CA server, while the Exchange server is a subordinate certificate server.

    I can create a webserver certificate with no problems, but I can't store it in the clients trusted root cert store. When importing it into the clients cert store, using the guide, it's ending up in the "Other people" store. When importing the certificate into the "Trusted Root Certification Authorities" it doesn't show up.

    I have been using SBS 2003 with RPC over HTTP, where the certificate creation is done by the "Configure Internet and Email" wizard. The clients have no problem downloading and installing these certificates. However, things are not so uncomplicated in a standard Windows 2003 enviroment.

    I've been working with OpenSSL and Apache on *nix platforms, but I haven't had the same problems that I have here. I've been searching Microsoft's website to find info about this, but I haven't found anything useful.

    I could of course buy a Verisign certificate or something like that but I don't need that, it's only intended for corporate use.

    I'm pretty new to certificates in a Windows enviroment. Could anyone point me in the right direction ...

    brgrds - MrDk

  • #2
    It's not the Webserver cert you need to install on the clients it the issuing CA's server auth If you view the cert details in IE when browsing to your site then I will tell you whcih server is the issuing CA.

    Then on this server, on Certifictaes MMC, and find it own cert, export and install on clients.

    * Shamelessly mentioning "Don't forget to add reputation!"


    • #3
      Thanks for the tip, but it doesn't seem to work.
      The certificates in this store is deployed by default to domain computers, but doesn't seem to terminate the ssl connection trough IIS.

      I tried to export the certificates and use them as webserver certs, but it didn't work either.

      Gotta try something else.

      brgrds - MrDk


      • #4
        Re: 2003 CA - Trusted Root Certificate Authority?

        To my understanding, there is no such thing as RDP over HTTP. I do know of a flavor called tsweb which can secure the "front page". But this does not do any favors as far as encrypting the session. I've had luck with RDP over SSL/TLS1 with SP1 and RDP over HTTPS with R2. May I suggest SELFSSL

        It's an easy deployment for 1024 encryption. Keep in mind that the CN must match your machine name. You needn't have the same DC as your A record, however.

        Keep in touch. I'm playing with the same technology at the moment.


        • #5
          Re: 2003 CA - Trusted Root Certificate Authority?

          Actually, it is RPC over HTTP and NOT RDP over HTTP.

          Click on the red link for more information about it.
          Joined: 23rd December 2003
          Departed: 23rd December 2015


          • #6
            Re: 2003 CA - Trusted Root Certificate Authority?

            Here is the detailed procedure you need to follow to get your client system to trust the CA server in your organization:
            1. Have the client system browse to https://<certificate server>/certsrv using Internet Explorer.
            2. Click on the "Download a CA certificate, certificate chain, or CRL" link.
            3. Click on the "install this CA certificate chain" link.
            4. Click "Yes" to add the certificate chain.
            What you are doing here is essentially adding the CA server of the organization to the trusted root servers for the client system. I had to talk to a Microsoft tech to figure out this "secret handshake" and make it work.

            Anyway, I have also set up RPC over HTTP on the SBS 2003 platform and never experienced this issue. What truly puzzles me is that it doesn't seem as though SBS 2003 even has a CA. The certificate is "self signed" with the external address of the machine and includes all possible permutations of the machine name itself from the inside as well as the external name. This self signed certificate is apparently accepted by IE without the need to add the certificate server to the trusted roots.

            The questions that are raise are
            1. Why does IE trust these "self signed" certificates?
            2. How does this certificate come to exist without a CA?
            3. Can one perform similar magic in a non-SBS environment?