Hey guys, We have a few servers here at work that have web servers on them (using various ports). They have web server services because we log into web interfaces to manage various things. For each of these internal sites, it displays a bad certificate error. Can someone please list the steps we have to take in order to automatically trust these sites? Please tell me if I am wrong: 1. Generate self-signed certificate on the server that hosts the web site 2. Import that self-signed certificate on the Enterprise Certificate Authority server (but what cert store?)

Hi there, If you would like to automatically trust these sites, you want to create a domain CA, you can either do this on the webserver by turning on the CA role, or creating a seperate server to be the CA. Once you have a certificate, you want to import the certificate onto the workstations that will be accessing the site. You want to put this into trusted certificates. Once this is complete, you should no longer get the error. Remember, the client computers need to trust the certificate on the server. By default, a self signed certificate is not enough, as if this is only on the server, you will get the certificate error you are probably receiving. If you import the certificate onto ALL clients that are accessing the website, the issue will go away.Scott Latimer www.appreciativeconsulting.com

So there is no easier way than to import the certificate onto ALL clients? Because we have a lot of clients who access these sites. I'm looking for a way to import it once to a CA server, and that having the clients automatically trust it. The way you suggest doesn't seem scalable.

If you push the certificate out with GPO, it is scalable. You can choose what groups of computers get the certificate. Or you could always purchase a certificate from a public CA, put it on the server and the computers will automatically trust it. Verisign and Godaddy are two very good public CA's. Scott Latimer www.appreciativeconsulting.com

You can import any certificate, but the issue is will the client computers trust the certificate. By default, microsoft does not put any self-signed certificates into its trusted store. Mostly they cannot, as the domain is used often times with the certificate to know it is trusted. So, you must manually put the self signed certificate into the trusted certs on the client computer. Perhaps the link below will help. http://technet.microsoft.com/en-us/library/bb727098.aspxScott Latimer www.appreciativeconsulting.com

My understanding is that, if we have a Root Certificate Authority server, we can import any certificate so that all domain computers trust a site automatically. But I guess I am wrong then?

You can import any certificate, but the issue is will the client computers trust the certificate. By default, microsoft does not put any self-signed certificates into its trusted store. Mostly they cannot, as the domain is used often times with the certificate to know it is trusted. So, you must manually put the self signed certificate into the trusted certs on the client computer. Perhaps the link below will help. http://technet.microsoft.com/en-us/library/bb727098.aspxScott Latimer www.appreciativeconsulting.com