IE 7 and SSL Certificates

Pinkeyes · 16 Jan 2007 at 16:12

This is rather annoying.

A few months ago we decided to implement SSL on our Outlook Web Access to make things nice and secure.

So I set about getting SSL (using a self certified certificate) working through ISA Server 2004 and a Front End Exchange Server 2003. Took quote a lot of messing about / learning to get it to work, but we managed it.

Things were rosy until Internet Explorer 7.0 was released. Now when people connect to our mail server they get this ominous warning from their client:

Which I think will scare most of our staff and students off, and not check their emails. Especially as it recommends that they do not visit the site.

Has anyone found a way around this ?

I don't mind producing a document they need to follow once to download and install our certificate, and add our site to their IE7 bowsers "trusted sites" - but no matter what I do, it always pops this warning every single time...

ruffneck · 16 Jan 2007 at 16:47

http://msmvps.com/blogs/spywaresucks/archive/2006/01/31/82198.aspx

Hi mate, does this help at all?

ruffneck · 16 Jan 2007 at 16:50

It seems everyone of your OWA users will have to do this to continue to use OWA without that warning popping up all the time.

Pinkeyes · 16 Jan 2007 at 16:51

Thanks for that. For some reason, once the certificate is installed, it still pops that warning up... every time :confused:

I don't mind them having to do something once to stop this happening. It's fair enough, so their browser protects them from other sites.

oddjob62 · 16 Jan 2007 at 17:16

Who was the issuing CA? IE won't trust a certificate unless it trusts the Root CA that issues athat Cert. The SSL connection will work (ie it will be encrypted), but the server won't be "Trusted" by the client.

Pinkeyes · 16 Jan 2007 at 21:02

We did. I made a certificate authority server internally and it is issued from there.

I understand that it isn't a paid for Verisign type certificate, so it isn't trusted automatically - but I hoped that I could do something to allow our clients to download the certificate, to stop IE 7 moaning every visit as in my OP...

oddjob62 · 16 Jan 2007 at 21:17

You can set up a GPO to automatically add the root CA's cert to each PCs list of trusted CAs

Pinkeyes · 16 Jan 2007 at 22:57

oddjob62 said:
You can set up a GPO to automatically add the root CA's cert to each PCs list of trusted CAs

I am talking about the staff and students home machines here... so they can check their email from home.

oddjob62 · 16 Jan 2007 at 22:59

Pinkeyes said:
I am talking about the staff and students home machines here... so they can check their email from home.

They will need to manually install the root cert.

Pinkeyes · 16 Jan 2007 at 23:16

oddjob62 said:
They will need to manually install the root cert.

That being the original certificate I created on the servers, and not the one they can download through the web browser ?

I thought they were the same thing?

(thanks for your help BTW)

Pint · 17 Jan 2007 at 19:29

You'll need to buy a certificate and install it to get rid of the message for all users.

http://www.instantssl.com/ are good.