"This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust"
When implementing an SSL solution, say to provide secure access to your OWA server, should you decide put in place your own PKI or certification authority as opposed to just getting the cheque book out and purchasing a certificate from a third party, you'll need to remember that the certificates issued by your CA aren't trusted by your browser, even Internet Explorer, as they've not been issued by a trusted root certification authority. This means that security warnings will be issued whenever you try to access your 'secure' site and to use the issued certificate. For example, when accessing OWA on an environment running Windows 2003 certificate services, you will receive the following warning dialog when accessing the site.
While it's possible just to continually select 'Yes' and to proceed past this warning and to access the OWA served mailbox securely, it's probably not good practice to ask and encourage your users to select 'Yes' to a security warning. Heck, who knows what the next warning might be that they say 'aye' to... some Gator-like malware install perhaps? Instead, it's a much better idea to install your root certificate in your clients' browser certificate store. Doing this will stop the warning from being displayed. This is a simple enough task, although before you begin it's important to note that you are installing your CA's root certificate into the browser, and not the certificate that's been issued to the OWA server and then to your browser. Therefore, it's not possible merely to select the 'View Certificate' option published on the security warning, and to then choose 'Install certificate.' Instead, it is necessary to export the CA's root certificate (.crt) file to a Base64 root certificate (.cer) file and to import this certificate.
To do this...
Find and then double-click the root certificate file.
Click the Details tab and select Copy to file to start the Certificate Manager Export Wizard.
On the second screen of the wizard select Base64, and on the third screen provide a path and file name for the certificate.
Once you have exported the certificate it needs to be imported into the browser...
Double click the .cer file
Choose 'Install certificate' which will start the certificate import wizard.
On the 'Certificate Store page,' do not choose the default 'Automatically select the certificate store,' instead choose 'Place all certificates in the following store.' Hit 'Browse' and then select 'Trusted Root Certification Authorities.'
Then 'OK,' 'Next,' and 'Finish.'
A security warning will be displayed stating that you are installing a certificate that can't be validated.
Choose 'Yes' and you should receive an 'Import was successful' dialog. Now when you access your OWA site, the warning won't be displayed, and you should also notice a considerable improvement in the delivery of the logon page/mailbox.
If you have a large number of users you will want to look at using a Group Policy to rollout the certificate install, or at least to provide secure, but simple access to the file, along with simple to follow instructions for your users to carry out the task themselves.
So now that you have gotten rid of this warning, you're going to make sure that your boss knows that you've saved him a few hundred pounds (or dollars!) and that all is now well. (in reality it may have cost more in time to implement than a third party certificate would have cost to buy). However... if you're also making use of Outlook Mobile Access, not using a third party certificate may come back to bite. Depending on the mobile device being used (Windows powered Smartphones are fine) the browser being used will again throw-up a warning about the certificate not being trusted or verified, and in some cases that'll be the end of the line i.e. the browser won't offer the ability to import your own certificate, and there'll be no way past the error/warning. Therefore, if you want to make life easier for everyone - yourself, and your users, and to ensure that mailboxes will be easily accessible, using whatever method/device, a third party cerificate is probably the way to go.
There is a KB article on importing a root certificate however the Rootinstall.asp file throws-up errors if used with IE 6.
Chris Meirick on July 3, 2004 at 12:19 PM
« Troubleshooting OWA's "Loading" Message |
Main
| "When your Exchange server goes down" »
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345191a569e200e5501fe2458833
Listed below are links to weblogs that reference "This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust":
Comments
Hi,
I recently setup my OWA for work to use a certificate generated by a stand-alone CA I have on my network there. Everything seemed to be fine except for the security alerts. Although i've exported the root certificate and installed it locally, strangely enough after I follow your steps I am unable to access my login page at all, I get a DNS error. The only way i'm able to fix this is by removing the certificate I installed for my work's CA. Any thoughts on what might be causing this?
Thanks!
Posted by: E. Russell at Dec 14, 2005 5:43:47 AM
Nevermind, I had the wrong certificate everything is fine now. :)
Posted by: E. Russell at Dec 14, 2005 11:35:52 AM
Hi i have followed the steps mentioned above to install a local webserver certificate and during the import process I am getting error popup with blank message and IE hangs.
Its weird problem and happens on some machines.
OS- Windows XP
IE6.0
Please suggest
-GK
Posted by: GK at Jul 7, 2008 3:42:55 PM
I've got a root cert from my IT guy and when installing it on my smartphone, it automatically goes into my intermediate cert store. Is there anyway to 'force' it in my root store on my smartphone?
The IT guy seems to have tried everything he can to create the proper cert and we've tried a few different ways. I can use IE on my smartphone to access my company email (with the warning 'The certificate was issued by a company you have chosen not to trust'), but it works fine that way. It just won't work with Activesync.
I have a Samsung I-740, Window Mobile 6, Verizon Network.
Can you help?
Thanks,
Ben
Posted by: ben at Oct 31, 2008 12:04:33 PM
HOLA .ME PUEDEN AYUDAR TENGO UNA LG PUEDO ENTRAR AL INTERNET PERO NO PUEDO ABRIR MI CORREO
Posted by: claudia at Nov 26, 2008 8:06:17 AM
