RE: Certification Question

  • From: "Mulnick, Al" <Al.Mulnick@xxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 8 Mar 2005 09:14:07 -0500

I'm working on my English as a Second language class, so bear with me.  :)

I did say exactly what you mention, but apparently not in a coherent and
meaningful way to my target audience. Namely you. 

That said, I did mention a way to have them install the cert into their
store via your web page and instructions process.  In other words, they can
visit the web page, download and INSTALL the certificate into the trusted
store and won't have a problem past that. 

Keep in mind the only reason the trusted third party certificates work
without prompting is because they are already in the trusted store on the
local machine.  Microsoft put them there for your convenience. You also have
settings that cause the workstations to go looking for updates etc.  I

Because those certs are already in the trusted store, your user doesn't get
prompted for anything when using those certificates.  Very convenient.  

You created your own CA.  You are your own third-party trusted CA and now
you want to put that certificate in the consumers trusted store.  The
problem is that they will have to be aware at some level that you're doing

The link I sent you was one option.  Using Rick's suggestion or Tom's
suggestion is a good idea, but if you're bent on doing it this way, consider
making it a part of the sign-up and configuration process vs. something you
script. That way you don't have to worry about multiple versions of OS, you
don't have to worry about circumventing safety processes that are setup to
help the consumer trust Microsoft and you, and you don't have to write and
maintain code. All you have to do is explain to the consumer how to visit a
web page and how to install a certificate as part of your process.

Let me know Andrew if I need to translate this to some other language other
than English.  I'm sure I can find something to help connect the ideas.  :)


-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, March 07, 2005 5:25 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question



The current way OWA with SSL works is when you go to you will be prompted to accept the

Once you accept the cert you then see the OWA login page. You login and your

okay got it?

RPC over HTTP does not prompt the user to accept the cert, it assumes the
user has installed the cert into their computer.. ie in Certificates for the
local computer -> Certificates -> Personal

If you go to your certs machine and type: http://IP/certsrv and login and
choose "download a CA certificate....blah...blah..." and then click on
"Install this CA..blah blah" on the next page the CA will be installed on
the machine you are using to access certsrv. 

Thus when you go to which you just installed the
cert for you will NOT be prompted for the cert. Thus when you use RPC over
HTTP you WILL connect to the exchange server.

I simply don't want users to have access to /certsrv, I would rather create
or used part of the certcarc.asp code (which installs the cert on your
machine) to create a new page which users who are currently using my email
services can access to install the cert on their personal computers.

I am just trying to figure out if there is a easier way to go about it,
since I don't want to waste my friends time in dismantling Microsoft's ASP
code! :)


-----Original Message-----
From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx]
Sent: Monday, March 07, 2005 4:40 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Certification Question

Ok.  So you want them to get the cert and install it in the store, a la the
way that you get prompted for an untrusted cert on an IIS page in IE, only
not prompt them for it correct? Basically handle the warnings etc in another
way than a popup else let the popup occur in your process (in other words,
let the user browse to the secure site that tells them how to set this up
and have them insert it in the trusted store or offer a script that does
this for them (I opt for the previous: letting them see the cert popup, and
telling them to accept it and install the cert vs. automating it.  For many
reasons including technical and security reasons).

I think there are all kinds of issues with doing this, such as the user has
to be able to write to the trusted store etc.  However, I believe this is
the concept you're looking for:

Let me know if I missed the concept totally.


List Archives:
Exchange Newsletters:
Exchange FAQ:
Other Internet Software Marketing Sites:
World of Windows Networking: Leading
Network Software Directory:
No.1 ISA Server Resource Site: Windows Security
Resource Site: Network Security Library: Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as:
al.mulnick@xxxxxxxxxx To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: