I recently walked into a client that has an Internal Certificate Authority issue affecting Internet browsing. I think it is a standard online CA. When clients go to any HTTPS website, Internet Explorer now prompts them with the certificate mismatch page. Why would this happen? I think the onlt cert that has been issued are computer certificates. I have been given some information from a different posting: 1) The published URL for the CRL probably isn't available, the client would have to write a script to post this externally daily and verify that the name (FQDN) on the cert is reachable from the internet, Most likely the client will have to alias the name in their dmz. 2) The CA root cert is not trusted by browsers so the users who use the cert will have to manually add to their certificate store. Don't really understand the first one, but the second one makes more sense to me. How does one add the cert to the local store? If it is a computer certificate, wouldn't it already be added to the local store?

probably there is another reason: certificate name is not the same as it typed in web browser. In this case you need to use custom or default Web Browser template. During enrollment you need to specify certificate common name that will be used by users to connect to a SSL-secured web site.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com