Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, November 16, 2010 8:38 PM
Operating System:Windows 7
Version:Internet Explorer 8
Derived from http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/36d4f7e8-4939-41d7-96eb-4ed6152681f9
Problem Description:
There is Intranet site: https://example.com.
There are Computer A and Computer B, that are connected to the work network (LAN).
Computer A is connected to domain.
Computer B is NOT connected to domain (workgroup).
Computer A connects to the website https://example.com without errors.
Computer B connects to the website https://example.com with Certificate Error: "Untrusted certificate".
Certificate Information:
This certificate cannot be verified up to a trusted certification authority.
Issued by: ... Primary Class 2 Certification Authority
All replies (5)
Tuesday, November 16, 2010 10:21 PM ✅Answered
Hi,
The issue is simply that Computer B does not trust the domain that trusts the computer that is hosting https://example.com.
More specifically, when a machine is joined to an Active Directory domain that has a Root Certificate Authority, then the Root Certificate Authority certificate is placed in the client machine's Local Machine Trusted Root Certification Authorities store.
You can view the certificates in the Local Machines Trusted Root Certificate Authority store by following these steps:
1. Run mmc.exe
2. File -> Add or Remove Snap-in
3. Select “Certificates” and click “Add”
4. Select “Computer Account” and click “Next >”
5. Select “Local Computer” and click “Finish”
6. Click OK
7. In the “Console Root” tree, expand “Certificates (Local Computer)”
8. Expand “Trusted Root Certification Authorities” and click “Certificates”
On machine A, this store will contain a certificate issued to: “Primary Class 2 Certification Authority”
On machine B, this store will NOT contain that certificate and that is why machine B does not trust https://example.com
Can you explain why you would like machine B to trust that website?
Can you join machine B to the domain that trusts the “Primary Class 2 Certification Authority”?
If you cannot join machine B to that domain, then another solution is to manually install the “Primary Class 2 Certification Authority” into machine B’s “Trusted Root Certification Authorities”. To do this, follow these steps:
1. In the “Trusted Root Certification Authorities” store on machine A:
a. Right-click the “Primary Class 2 Certification Authority” certificate
b. Select “All Tasks” and click “Export”
c. Click “Next >”
d. Select “DER encoded” and click “Next >”
e. Save the file to a USB stick or someplace accessible from machine B and click “Next >”
f. Click “Finish”
2. On machine B:
a. Open the certificate file exported from machine A
b. Click “Install Certificate” and click “Next >”
c. Select “Place all certificates in the following store”
d. Click “Browse” and select the “Trusted Root Certification Authorities”
e. Click “OK”, then click “Next >”
f. Click “Finish”
g. Click “OK” on the “Security Warning”
3. On machine B, try to open https://example.com
I hope that helps,
John
Wednesday, November 17, 2010 5:03 PM ✅Answered
Hi,
1. Yes, the Local machine certificate store and the user certificate store are like the LM and CU registry hives: each user that logs on to that machine will have their own set of certificates, either auto enrolled from the Active Directory or manually installed. On the other hand, the Local machine store will have the same set of certificates independent of the logged on user. Some operations, like establishing that another server is trustworthy, require machine trust. Other operations, like sending an encrypted email, require a user specific certificate that no other user should be able to access.
2. When you open the Local machine store as noted above, you can "File -> Save" the MMC console with any consoles loaded that you desire. This will serve as a shortcut similar to certmgr.msc and you can copy the saved file to other computers if you wish. There is no built-in way to open the Local Machine store that is faster than what I already suggested.
Thanks!
John
Thursday, November 18, 2010 12:15 AM ✅Answered
Hi,
To see the true step-by-step, you can enable CAPI logs, got to an "https" site, and examine the logs from start to finish.
An very detailed walk-through of what exactly happens is here: http://technet.microsoft.com/en-us/library/cc749296(WS.10).aspx
Thanks,
John
Wednesday, November 17, 2010 11:14 AM
Hi John,
Thank you for the detailed answer. The bottom line: it works now.
But I have new questions and I want to understand how certificates work So, if need, I can open new threads.
1. What is difference between Certificates (Local Computer), Certificates (Current User) and Certificates (Service)?
I see that Certificates (Local Computer) and Certificates (Current User) contain the similiar information: folder names, certificates (approx. 60-70%).
Is it like HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER in the registry?
2. Is there more short path to access/view Certificates (Local Computer)? For example, to access Certificates (Current User) I can Run command certmgr.msc.
Wednesday, November 17, 2010 9:38 PM
Hi John,
Thanks for your professional answers.
You asked me: "Can you explain why you would like machine B to trust that website?
Can you join machine B to the domain that trusts the “Primary Class 2 Certification Authority”?"
I would like machine B to trust that website (https://example.com) because I don't want to see Certificate Error: "Untrusted certificate" when I access that website.
I can, but I don't want to join machine B to a domain.
===============================================================
If it isn't very difficult for you, please explain me how it works:
I have installed Windows 7 with Internet Explorer 8. Internet Explorer 8 installation has built-in certificates like Verisign CA. Now I try to connect site https://www.bankXYZ.com that have certificate which was signed by Verisign Company.
I want to know (step-by-step) how I get access to the site https://www.bankXYZ.com (how certificate mechanism works): ALL request transactions my computer <-> website server to validate certificate authentication.
Which information is sent between my computer and website server?
Does Internet Explorer copy the certificate from bank website to my computer?
Thanks