sslexchange-serveroutlook-web-appoma

Self SSL - Invalid Certificate


I used Self SSL for the first time today to create a certificate for our exchange-OMA/OWA. I have imported the certificate into trusted root certificate authorities on my local computer so that it will not prompt that the certificate is not from a trusted source.

I am however still getting a certificate error "Invalid Certificate", the IE8 browser bar turns red with a security warning. When I view the certificate it does not display any error and says the certificate is fine.

Can anyone tell me why I am getting this error? is it normal for self signed certificates or is the certificate really invalid some how?

Thank you


Solution

  • Make sure that the CN ("Common Name") attribute matches in your URL and certificate. For example, if you created your certificate using the CN=localhost, but you are accessing it in IE using something like https://machine.domain.topleveldomain, then IE will complain that machine.domain.topleveldomain is not the same as localhost. I believe it does a string comparison.

    Make sure that the certificate was installed in the Trusted Root Certification Authorities (TRCA) under the Local Computer physical store.

    If all is installed correctly, then there is one more possibility. Windows has a "feature" that wipes out untrusted certificates (untrusted according to mircosoft) from the TRCA. You can disable this feature first and then reinstall the certificate.

    Open up gpedit.msc and drill down to Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > Turn off Automatic Root Certificates Update. Enable Turn off Automatic Root Certificates Update.

    Microsoft provides some details about what that feature does---its a security feature where your TRCA is compared against microsoft's database of valid root certificates.

    If it is still not working after you turn that feature off, then there is a problem with the way in which you created that certificate. You can make a certificate using makecert. http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.80).aspx

    If your computer's fully qualified name is: machine.domain.com, you can do this:

    makecert -n "CN=machine.domain.com" c:\file.cer

    Eventually you can access your resources by: https://machine.domain.com

    Hope this helps. I have had my fair share of self-signed certificate woes.