Trust a Certificate

Trust a Certificate KB ID 0001893

Problem

There was a question on the Spiceworks forum this week and I suggested simply trusting the certificate to stop a certificate error, and got asked.

Could you please let me know how to import the downloaded certificate

I was surprised to find I’d not really covered this as a stand-alone subject so here we go.

Solution: Trust a Certificate

Firstly,  If you can go and spend a few minutes reading the following article Digital Certificates Explained especially the Golden Rules of Certificates section. Every IT Pro and Developer should have a basic grasp of certificates and how they work. It will take you less than 5-10 minutes to read that article and will save you struggling in future.

Now you’ve read that article above, you know to trust a certificate you must trust the CA that issued the certificate. With the askers problem it was getting the certificates from a VMware vCentre server, which is easy as peas, because it gives you the option to download them on the main screen like so;

Note: If you download the certs they come in a zip file, extract them out of that zip file, (or you won’t see “Open As” on your right click menu when you want to import the certificate(s)).

Now normally you will get four files, two are CRL (Certificate Revocation List) files we won’t be needing those but the two remaining files (the ones with the .crt extension) right click > Open With > Select Crypto Shell Extensions (Note: If you don’t do this the file may open in notepad, and just show you the certificate as a PEM file).

 

Import or Trust a Certificate

Install Certificate > Select “Local Machine” > Next > Select “Place all certificates in the following store” > Next.

Finish > OK.

You can now see I don’t have any certificate errors, (if yours still does, check the Golden Rules of Certificates (see above) , one of them still broken).

I can’t See a Root Certificate! (or Root CA Certificate) In some cases you may need to select the Certification Path tab select the CA certificates (there may be a few in the ‘chain’ look at each certificate and import them one by one, going up the chain all the way to the root certificate at the top.

Related Articles, References, Credits, or External Links

NA

Exchange / Outlook – Security Alert – “The security certificate was issued by a company you have not chosen to trust”

KB ID 0000454

Problem

Out of the box Exchange 2007 and 2010 comes with a “Self Signed” digital certificate. That’s OK for getting you up and running but your Outlook clients may start to see the error below.

Error:
Security Alert
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.
The security certificate was issued by a company you have chosen not to trust. View the Certificate to determine whether you want to trust the certifying authority.

Solution

You have a number of options to stop this error.

Option 1 (This is WHAT YOU SHOULD DO!)

You should purchase a certificate signed by a trusted certification authority, these used to cost a fortune, but if you shop around you can pick them up very cheaply.

Obtaining, and Installing an Exchange Certificate.

Option 2 (Free, and handy if you don’t have a lot of clients)

It still amazes me that people with pay out for a new server, and Exchange, but then refuse to buy a certificate? But if your reading this then that might well be you. You can choose to trust the certificate that’s being presented to you. You carry out this procedure on each Outlook client. If you have a lot of Outlook clients then skip to options 3 and 4).

1. First, start up Outlook and get the error message on the screen.

2. Select “View Certificate” > Install Certificate > Next.

3.Selct “Place all certificates in the following store” > Browse > Select “Trusted Root Certification Authority > OK.

4. Finish.

5. Select yes to accept the certificate import> Restart Outlook.

Option 3 (Free, and handy if you have a lot of clients)

Install Certificates with Group Policy GPO

Option 4

Install your own certification authority, and sign your own Exchange certificate. Great if you already have a CA, though it’s a mess about just to solve this problem.

 

Related Articles, References, Credits, or External Links

NA