开发者

Self SSL - Invalid Certificate

I used Self SSL for the first time today to create a certificate for our exchange-OMA/OWA. I have im开发者_JAVA技巧ported the certificate into trusted root certificate authorities on my local computer so that it will not prompt that the certificate is not from a trusted source.

I am however still getting a certificate error "Invalid Certificate", the IE8 browser bar turns red with a security warning. When I view the certificate it does not display any error and says the certificate is fine.

Can anyone tell me why I am getting this error? is it normal for self signed certificates or is the certificate really invalid some how?

Thank you


Make sure that the CN ("Common Name") attribute matches in your URL and certificate. For example, if you created your certificate using the CN=localhost, but you are accessing it in IE using something like https://machine.domain.topleveldomain, then IE will complain that machine.domain.topleveldomain is not the same as localhost. I believe it does a string comparison.

Make sure that the certificate was installed in the Trusted Root Certification Authorities (TRCA) under the Local Computer physical store.

If all is installed correctly, then there is one more possibility. Windows has a "feature" that wipes out untrusted certificates (untrusted according to mircosoft) from the TRCA. You can disable this feature first and then reinstall the certificate.

Open up gpedit.msc and drill down to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off Automatic Root Certificates Update. Enable Turn off Automatic Root Certificates Update.

Microsoft provides some details about what that feature does---its a security feature where your TRCA is compared against microsoft's database of valid root certificates.

If it is still not working after you turn that feature off, then there is a problem with the way in which you created that certificate. You can make a certificate using makecert. http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx

If your computer's fully qualified name is: machine.domain.com, you can do this:

makecert -n "CN=machine.domain.com" c:\file.cer

Eventually you can access your resources by: https://machine.domain.com

Hope this helps. I have had my fair share of self-signed certificate woes.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜