I'm working on my English as a Second language class, so bear with me. :) I did say exactly what you mention, but apparently not in a coherent and meaningful way to my target audience. Namely you. That said, I did mention a way to have them install the cert into their store via your web page and instructions process. In other words, they can visit the web page, download and INSTALL the certificate into the trusted store and won't have a problem past that. Keep in mind the only reason the trusted third party certificates work without prompting is because they are already in the trusted store on the local machine. Microsoft put them there for your convenience. You also have settings that cause the workstations to go looking for updates etc. I digress.... Because those certs are already in the trusted store, your user doesn't get prompted for anything when using those certificates. Very convenient. You created your own CA. You are your own third-party trusted CA and now you want to put that certificate in the consumers trusted store. The problem is that they will have to be aware at some level that you're doing that. The link I sent you was one option. Using Rick's suggestion or Tom's suggestion is a good idea, but if you're bent on doing it this way, consider making it a part of the sign-up and configuration process vs. something you script. That way you don't have to worry about multiple versions of OS, you don't have to worry about circumventing safety processes that are setup to help the consumer trust Microsoft and you, and you don't have to write and maintain code. All you have to do is explain to the consumer how to visit a web page and how to install a certificate as part of your process. Let me know Andrew if I need to translate this to some other language other than English. I'm sure I can find something to help connect the ideas. :) -----Original Message----- From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] Sent: Monday, March 07, 2005 5:25 PM To: [ExchangeList] Subject: [exchangelist] RE: Certification Question http://www.MSExchange.org/ Al, Uhm... The current way OWA with SSL works is when you go to https://owa.smoothrunnings.ca/exchanage you will be prompted to accept the cert. Once you accept the cert you then see the OWA login page. You login and your done.. okay got it? RPC over HTTP does not prompt the user to accept the cert, it assumes the user has installed the cert into their computer.. ie in Certificates for the local computer -> Certificates -> Personal If you go to your certs machine and type: http://IP/certsrv and login and choose "download a CA certificate....blah...blah..." and then click on "Install this CA..blah blah" on the next page the CA will be installed on the machine you are using to access certsrv. Thus when you go to owa.sitename.com/exchange which you just installed the cert for you will NOT be prompted for the cert. Thus when you use RPC over HTTP you WILL connect to the exchange server. I simply don't want users to have access to /certsrv, I would rather create or used part of the certcarc.asp code (which installs the cert on your machine) to create a new page which users who are currently using my email services can access to install the cert on their personal computers. I am just trying to figure out if there is a easier way to go about it, since I don't want to waste my friends time in dismantling Microsoft's ASP code! :) Andrew -----Original Message----- From: Mulnick, Al [mailto:Al.Mulnick@xxxxxxxxxx] Sent: Monday, March 07, 2005 4:40 PM To: [ExchangeList] Subject: [exchangelist] RE: Certification Question http://www.MSExchange.org/ Ok. So you want them to get the cert and install it in the store, a la the way that you get prompted for an untrusted cert on an IIS page in IE, only not prompt them for it correct? Basically handle the warnings etc in another way than a popup else let the popup occur in your process (in other words, let the user browse to the secure site that tells them how to set this up and have them insert it in the trusted store or offer a script that does this for them (I opt for the previous: letting them see the cert popup, and telling them to accept it and install the cert vs. automating it. For many reasons including technical and security reasons). I think there are all kinds of issues with doing this, such as the user has to be able to write to the trusted store etc. However, I believe this is the concept you're looking for: http://support.microsoft.com/kb/297681 Let me know if I missed the concept totally. al ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSEXchange.org Discussion List as: al.mulnick@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=exchangelist Report abuse to listadmin@xxxxxxxxxxxxxx