Q on installing Certification Authority for dig cert

[pogi05]

Ok, hopefully a quick question:

Setup: Single-Server w/ Win 2003 Exchange 2003 used as RPC Proxy Server

I'm trying to install a digital certificate to use for RPC over HTTPS w/ Exchange 2003.

When I've created the internal Enterprise Root (CA) with a common name of the INTERNAL FQDN the created certificate works fine with the only obvious problem that when I connect in a browser it gives me a sec. error.

So.. I reinstalled the internal Enterprise Root (CA) with a common name instead of the EXTERNAL FQDN (mail.domain.com), but this certificate doesn't let me do HTTPS properly at ALL.

I've tried using Test Certificates from Thawte.com but they won't work with RPC either (because the client will disconnect from the RPC Proxy Server due to the certificate issuse - the certificate isn't trusted)


****Q: Is there a way to create a functional internal Enterprise Root CA that will give me a digital certificate I can successfully use for RPC over HTTP??

 

[djtech2k]

Well, I dont know RPC over HTTP, but I would say that you should have a ROOT CA in your internal domain and it should be named with the internal FQDN. Then, any of your domain members' workstations should automatically have that root CA installed as a trusted root cert.

If the client trusts the root cert of the cert being handed up by the service, then it should work.

 

[NickFerrar]

Are you connecting from a computer in the same domain as the internal CA? If not (e.g. you're connecting from a home PC) then you'll get the security error until you choose to trust the cert as your internally generated cert isn't trusted outside of your domain. Personally I use 3rd party certs (Verisign etc.) for external facing SSL and just use the internal CA for internally used certs (e.g. the ISA OWA to FE Exchange SSL)