Convert Self-Signed Certificate?

Using an internal Microsoft Certificate Authority server, I have
created a root CA and signed many web site certificates. The latest
version of IE makes these IIS/MS-CA SSL sites look "criminal" because
the certificates were not signed by Verisign. I give up. How can I
convert my root CA certificate to something that I can submit to a
"pay authority" so the chain will be automatically trusted by all
browsers?

Thanks.

Re: Convert Self-Signed Certificate?

Are these public sites or internal-only sites? If the latter, just add the
root certificate to the CAPI store on each computer.

If the former, there is no "conversion." You pay some money and you install
the proper certificate on each web server one at a time. What you are asking
for is that the world believe your self-signed certificates are as
trustworthy as a real certificate authority.

Self-signed certificates on the Internet are a really, really bad idea
because anyone can duplicate them.

They may also be a bad idea on internal networks depending on how loose your
network access controls are.

Ray

"lucius" wrote in message
news:t7t413lqeae510ugfbaj8gefe6c12jra0q@4ax.com...
> Using an internal Microsoft Certificate Authority server, I have
> created a root CA and signed many web site certificates. The latest
> version of IE makes these IIS/MS-CA SSL sites look "criminal" because
> the certificates were not signed by Verisign. I give up. How can I
> convert my root CA certificate to something that I can submit to a
> "pay authority" so the chain will be automatically trusted by all
> browsers?
>
> Thanks.
>

Re: Convert Self-Signed Certificate?

Hmmm. So what's the point of creating a Microsoft Certificate Server?
Shouldn't I be able to make my CA a "subordinate" of a "pay authority"
and issue certs from my CA then?



On Tue, 3 Apr 2007 13:00:25 -0400, "Ray" wrote:

>Are these public sites or internal-only sites? If the latter, just add the
>root certificate to the CAPI store on each computer.
>
>If the former, there is no "conversion." You pay some money and you install
>the proper certificate on each web server one at a time. What you are asking
>for is that the world believe your self-signed certificates are as
>trustworthy as a real certificate authority.
>
>Self-signed certificates on the Internet are a really, really bad idea
>because anyone can duplicate them.
>
>They may also be a bad idea on internal networks depending on how loose your
>network access controls are.
>
>Ray
>
>"lucius" wrote in message
>news:t7t413lqeae510ugfbaj8gefe6c12jra0q@4ax.com...
>> Using an internal Microsoft Certificate Authority server, I have
>> created a root CA and signed many web site certificates. The latest
>> version of IE makes these IIS/MS-CA SSL sites look "criminal" because
>> the certificates were not signed by Verisign. I give up. How can I
>> convert my root CA certificate to something that I can submit to a
>> "pay authority" so the chain will be automatically trusted by all
>> browsers?
>>
>> Thanks.
>>
>

Re: Convert Self-Signed Certificate?

I don't understand your point... do you want to be a trusted third party or a
certificte authority??!!

- the point of creating a MS Certificate Server is to give you PKI
functionality, so that you can issue, manage, and revoke PKCs.
- to do that, you need to get a cert that is signed by a trusted party like
VeriSign, so others can trust you in return. and then you can use this
"trusted cert" as a root certificate for your CA to sign other certs.
- plus, you didn't answer Ray's question: is it for public or local network
use?

HTH

"lucius" wrote:

> Hmmm. So what's the point of creating a Microsoft Certificate Server?
> Shouldn't I be able to make my CA a "subordinate" of a "pay authority"
> and issue certs from my CA then?
>
>
>
> On Tue, 3 Apr 2007 13:00:25 -0400, "Ray" wrote:
>
> >Are these public sites or internal-only sites? If the latter, just add the
> >root certificate to the CAPI store on each computer.
> >
> >If the former, there is no "conversion." You pay some money and you install
> >the proper certificate on each web server one at a time. What you are asking
> >for is that the world believe your self-signed certificates are as
> >trustworthy as a real certificate authority.
> >
> >Self-signed certificates on the Internet are a really, really bad idea
> >because anyone can duplicate them.
> >
> >They may also be a bad idea on internal networks depending on how loose your
> >network access controls are.
> >
> >Ray
> >
> >"lucius" wrote in message
> >news:t7t413lqeae510ugfbaj8gefe6c12jra0q@4ax.com...
> >> Using an internal Microsoft Certificate Authority server, I have
> >> created a root CA and signed many web site certificates. The latest
> >> version of IE makes these IIS/MS-CA SSL sites look "criminal" because
> >> the certificates were not signed by Verisign. I give up. How can I
> >> convert my root CA certificate to something that I can submit to a
> >> "pay authority" so the chain will be automatically trusted by all
> >> browsers?
> >>
> >> Thanks.
> >>
> >
>
>

Re: Convert Self-Signed Certificate?

this is for publically-accessible sites. The root cert that is
installed on several hosts is self-signed. I was under the impression
that the same CA cert could be verified/signed by Verisign or
equivalent. That way the "chain of trust" would be "extended" by
having the root CA actually verified by Verisign or equivalent.


On Tue, 3 Apr 2007 11:56:01 -0700, Mike002
wrote:

>I don't understand your point... do you want to be a trusted third party or a
>certificte authority??!!
>
>- the point of creating a MS Certificate Server is to give you PKI
>functionality, so that you can issue, manage, and revoke PKCs.
>- to do that, you need to get a cert that is signed by a trusted party like
>VeriSign, so others can trust you in return. and then you can use this
>"trusted cert" as a root certificate for your CA to sign other certs.
>- plus, you didn't answer Ray's question: is it for public or local network
>use?
>
>HTH
>
>"lucius" wrote:
>

Re: Convert Self-Signed Certificate?

It's so you can run an in-house PKI. As long as you install your root
certificate in your browsers, you can use self-signed certificates for
Intranet applications, like HTTPS switch interfaces, remote access,
generating computer identification certificates, etc.

It does save the company money and it allows you to create and revoke
certificates immediately.

Ray

"lucius" wrote in message
news:9a6513hao9u8ro2qnkagqjpkgb0fiqm625@4ax.com...
> Hmmm. So what's the point of creating a Microsoft Certificate Server?
> Shouldn't I be able to make my CA a "subordinate" of a "pay authority"
> and issue certs from my CA then?
>
>
>
> On Tue, 3 Apr 2007 13:00:25 -0400, "Ray" wrote:
>
>>Are these public sites or internal-only sites? If the latter, just add the
>>root certificate to the CAPI store on each computer.
>>
>>If the former, there is no "conversion." You pay some money and you
>>install
>>the proper certificate on each web server one at a time. What you are
>>asking
>>for is that the world believe your self-signed certificates are as
>>trustworthy as a real certificate authority.
>>
>>Self-signed certificates on the Internet are a really, really bad idea
>>because anyone can duplicate them.
>>
>>They may also be a bad idea on internal networks depending on how loose
>>your
>>network access controls are.
>>
>>Ray
>>
>>"lucius" wrote in message
>>news:t7t413lqeae510ugfbaj8gefe6c12jra0q@4ax.com...
>>> Using an internal Microsoft Certificate Authority server, I have
>>> created a root CA and signed many web site certificates. The latest
>>> version of IE makes these IIS/MS-CA SSL sites look "criminal" because
>>> the certificates were not signed by Verisign. I give up. How can I
>>> convert my root CA certificate to something that I can submit to a
>>> "pay authority" so the chain will be automatically trusted by all
>>> browsers?
>>>
>>> Thanks.
>>>
>>
>

Re: Convert Self-Signed Certificate?

No. That would in fact make you a competitor of Verisign and would extend
their reputation to anything that you do (because the certificate chain
traces back to them as the final authority).

Extreme example: If this were allowed, you could put up a CA on the Internet
and allow anyone to create a certificate by themselves without paying anyone
any money.

The value of a trusted third party certificate authority is that they are
supposed to investigate and confirm that you are really you before you are
issued a certificate.

Ray

"lucius" wrote in message
news:nne513hc6vc2j47amt7mla0d66idk8k211@4ax.com...
>
> this is for publically-accessible sites. The root cert that is
> installed on several hosts is self-signed. I was under the impression
> that the same CA cert could be verified/signed by Verisign or
> equivalent. That way the "chain of trust" would be "extended" by
> having the root CA actually verified by Verisign or equivalent.
>
>
> On Tue, 3 Apr 2007 11:56:01 -0700, Mike002
> wrote:
>
>>I don't understand your point... do you want to be a trusted third party
>>or a
>>certificte authority??!!
>>
>>- the point of creating a MS Certificate Server is to give you PKI
>>functionality, so that you can issue, manage, and revoke PKCs.
>>- to do that, you need to get a cert that is signed by a trusted party
>>like
>>VeriSign, so others can trust you in return. and then you can use this
>>"trusted cert" as a root certificate for your CA to sign other certs.
>>- plus, you didn't answer Ray's question: is it for public or local
>>network
>>use?
>>
>>HTH
>>
>>"lucius" wrote:
>>

Re: Convert Self-Signed Certificate?

I believe that certain root CAs do do this *but* as you say, you are
effectively becoming a competitor. So the cost of getting such an issuing
certificate is probably quite high, and the process of getting one would be
quite rigorous.

Cheers
Ken

"Ray" wrote in message news:%23MAXpcrdHHA.1884@TK2MSFTNGP04.phx.gbl...
> No. That would in fact make you a competitor of Verisign and would extend
> their reputation to anything that you do (because the certificate chain
> traces back to them as the final authority).
>
> Extreme example: If this were allowed, you could put up a CA on the
> Internet and allow anyone to create a certificate by themselves without
> paying anyone any money.
>
> The value of a trusted third party certificate authority is that they are
> supposed to investigate and confirm that you are really you before you are
> issued a certificate.
>
> Ray
>
> "lucius" wrote in message
> news:nne513hc6vc2j47amt7mla0d66idk8k211@4ax.com...
>>
>> this is for publically-accessible sites. The root cert that is
>> installed on several hosts is self-signed. I was under the impression
>> that the same CA cert could be verified/signed by Verisign or
>> equivalent. That way the "chain of trust" would be "extended" by
>> having the root CA actually verified by Verisign or equivalent.
>>
>>
>> On Tue, 3 Apr 2007 11:56:01 -0700, Mike002
>> wrote:
>>
>>>I don't understand your point... do you want to be a trusted third party
>>>or a
>>>certificte authority??!!
>>>
>>>- the point of creating a MS Certificate Server is to give you PKI
>>>functionality, so that you can issue, manage, and revoke PKCs.
>>>- to do that, you need to get a cert that is signed by a trusted party
>>>like
>>>VeriSign, so others can trust you in return. and then you can use this
>>>"trusted cert" as a root certificate for your CA to sign other certs.
>>>- plus, you didn't answer Ray's question: is it for public or local
>>>network
>>>use?
>>>
>>>HTH
>>>
>>>"lucius" wrote:
>>>
>
>