18 replies to this topic

[whsvet]

Guys,
I had this (somewhat minor) issue with WHS v1 and now with Vail. When I try to connect to the Console (v1) or Dashboard (v2) through my Remote Web Access webpages, I receive the certificate warning, stating "This certificate is not from a trusted certifying authority." I have tried the "Install Certificate" options, but continue to receive the error. It is no problem to click through, and I know I can allow it to be ignored, but I just dislike error messages! It seems rather inelegant. Is there a way to fix this? I hope this topic has not been discussed previously; I searched the forums and did not find it. Thanks in advance for any advice.

[kermi]

Guys,
I had this (somewhat minor) issue with WHS v1 and now with Vail. When I try to connect to the Console (v1) or Dashboard (v2) through my Remote Web Access webpages, I receive the certificate warning, stating "This certificate is not from a trusted certifying authority." I have tried the "Install Certificate" options, but continue to receive the error. It is no problem to click through, and I know I can allow it to be ignored, but I just dislike error messages! It seems rather inelegant. Is there a way to fix this? I hope this topic has not been discussed previously; I searched the forums and did not find it. Thanks in advance for any advice.

Is this homebuilt server, or one of the OEM ones? It seems you are missing the root-certificate of the entity that has created the certificates of your server.

[jmwills]

In which store did you install the certificate? It should be in the "Trusted Roost Certificate Authorities" store.

[whsvet]

Both my WHS v1 and Vail boxes are home builds.

I can find a certificate that contains the name of my server located in the both "Trusted Root Certification Authorities" and "Intermediate Certification Authorities" stores.

[ikon]

I have this problem too. I have 'installed' the certificate into my Trusted Root Authorities store more times than I can count, to no avail. Since these are my own boxes, I naturally just click past the warning message but 1) it's annoying and 2) with Strict Transport Security coming on, clicking past a warning won't be possible, so I would like to find a resolution.

[jmwills]

The only other thing that comes to mind would be an expired cert for that site. If the dates are valid then I would remove all associated with the servers and reinstall them which is done during the client connection process if I am not mistaken,

[whsvet]

ikon: Thanks! I was beginning to think I was the only one having this issue! I may have found a fix for this, after much trial and error, and a good amount of searching. I now have 2 of my client computers connecting without the certificate error message, but I have run into some other snags. When I get it worked out (may be a few days), I'll post the steps here for all to critique. This fix seems to have worked on a homebuilt Vail server and two Win 7 clients.

[ikon]

ikon: Thanks! I was beginning to think I was the only one having this issue! I may have found a fix for this, after much trial and error, and a good amount of searching. I now have 2 of my client computers connecting without the certificate error message, but I have run into some other snags. When I get it worked out (may be a few days), I'll post the steps here for all to critique. This fix seems to have worked on a homebuilt Vail server and two Win 7 clients.

I too made some progress, even if only a little. You inspired me to get off my lard-loaded-lounger. Anyway, all I did was fix webmail access to my email server. The server uses a self-signed cert. I simply copied the cert file to my PC & double clicked on it to install it. I added it to the Root Authority. One down, around 3 more to go.

[whsvet]

Ok, guys, here is the protocol I used to install into a Win 7 client the correct certificates for logging into WHS Vail. Installing certificates using the "Install Certificate" buttons just would not work for me. It seems that such a button would do what it says it does, but, ... oh, well. Be sure to do this on a secure local network, as you will be transferring your private certificate authority certs around in the clear! I have not tried this with WHS v1 or Win XP or Vista, but I would think the protocol would be very similar.

First, log into Vail using RDP (yes, click through the certificate error message by selecting the connect anyway option). Optionally, you can use an attached keyboard/mouse/monitor to log on.

In the Start menu search box, type "MMC".

mmc.exe will appear highlighted at the top of the popup list. Tap the "enter" key. A new console will open.

Left click "File" then select "Add/Remove Snap-in...".

In the left column, select "Certificates", then click "ADD>", then select "Computer account", then "Next", make sure "Local computer: (the computer this console is running on)" is selected.

Click "Finish", then "OK". The certificates branch is now added to the Console root.

Expand "Certificates", then expand "Trusted Root Certification Authorities". Another "Certificates" folder appears under this branch. Left click this "Certificates" item.

Several CA certificates will appear in the right pane. The one you want contains the name you gave your server when you set it up originally. Mine is named "VAILSERVER810-CA". Right click this certificate, then select "All Tasks" > "Export..."

The Certificate Export Wizard opens. Click "Next".

Make sure "DER encoded binary x.509 (.cer)" is selected, then click "Next".

Now Browse to a shared location on your client computer such as "Desktop" or "Public Documents" where you can easily find the certificate when you do the import steps that follow. You could use a cd, dvd, or usb drive for this transfer if you like. In the File name: box type the same name that is already given to the cert (in my case, "VAILSERVER810-CA") and click "Save". In the next window double check the path, then click "Next", then "Finish". The happy sign should appear: "The export was successful." Click "OK", then close the console. If you want, you can save this newly-created console on the server desktop for future use (other clients, mistypes,...), or just close without saving (you can recreate it if needed).

Log out of the Vail server. On your way to the client computer, stop by the refrigerator for your beverage of choice .

Now, on the Win 7 client computer, logon with administrator privileges. In the Start menu search box, type "MMC".

mmc.exe will appear highlighted at the top of the popup list. Tap the "enter" key. Click through the UAC stuff. A new console will open.

Left click "File" then select "Add/Remove Snap-in...".

In the left column, select "Certificates", then "Add>".

Select "Computer account" in the "Certificates snap-in" window, then "Next"

Make sure "Local computer: (the computer this console is running on)" is selected in the next window, then click "Finish", then "OK".

A new branch appears under the Console root, named "Certificates (Local Computer)". Expand this branch, then expand "Trusted Root Certification Authorities" as above. A file named "Certificates" appears as above. Right click this folder, then select "All Tasks" > "Import..."

The Certificate Import Wizard opens. Click "Next".

Browse to the location of the cert you exported to this computer, and select it. Click "Next".

Select "Place all certificates in the following store" Browse to and select "Trusted Root Certification Authorities" store, click "OK", then "Next".

Review the info in the window to make sure it looks correct, then select "Finish".

You should now get the happy sign: "The import was successful". Click "OK". Close the console either saving or not depending on your preferences. I did not save mine, as they can be rebuilt as needed. You should also delete the ca cert from the export/import location, as the import process leaves a copy there.

At this point, you should be able to RDP in to the Vail server from this client computer, or connect to the Dashboard locally or through Remote Web Access from this computer without encountering the trusted certificate authority error.

I used a similar protocol to load RDP certificates from my other Win 7 clients, so that I no longer get this error when I RDP into them as well. If anyone is interested, I can post those steps as well.

As I stated at the beginning, I went through some trial and error. I exported/imported certs that appeared to do nothing, so I used the Certificate Console to delete them. I did not mess up anything that I have noticed yet. Just don't delete any certs you did not import!

Let me know how this works for you.

[ikon]

nice writeup. Thanks. Correct me if I'm wrong, but you're basically describing how to export a certificate from Vail and import into Win7. Out of curiosity, did you try to double-click the .CER file after copying the file to the Win7 puter, like I did for my email server's cert?

BTW, I stopped by your refrigerator but you didn't have my beverage of choice; try to keep it better stocked in the future, OK? j/k

[kermi]

*cough* blog post *cough*

[whsvet]

No, I did not try that method because I was not familiar with it. Until now, I had no experience manipulating certificates. Most of my info was gathered from sites such as Here and Here. There are probably easier ways to do this, I just could not find them.

[ikon]

No, I did not try that method because I was not familiar with it. Until now, I had no experience manipulating certificates. Most of my info was gathered from sites such as Here and Here. There are probably easier ways to do this, I just could not find them.

It would be interesting to find out if it would work for you.

[jmwills]

If you take a look at some of the Windows Small Business Server blogs, this process is a little more streamlined in that SBS creates a package for you to install these .509 certs. The only part they leave out is to install the certs in the Trusted Root Certificates store.

I am curious, that if you look under the advanced properties of the certs you imported and are still getting the warning, what properties are checked. Basically, everything except Secure E-Mail and Client Authentication should be checked.

[whsvet]

The problem I found was that the automated processes did not install the correct cert. The "*server-name*-CA" cert is the one that had to be installed into the Trusted Root Certificate Authorities store. Having the "*server-name*" cert there by itself had no effect. In fact, I think it works without the "*server-name*" cert installed anywhere on the client machine.

I should have stated in the "blog post" above, that prior to the import procedure, I deleted all "*server-name*" certs from the client machine's Trusted Root Cert Authorities store that had been installed previously through other means.

This has been very confusing to me. I read enough websites to piece together this protocol that seems to work. Now maybe someone who really understands this cert stuff can explain why it works

[timekills]

Great writeup; very thorough. What I find interesting is why it happens on some builds and not others. Should I believe that the home-brews that seem to have no issues with the valid certificates have done something "right" or have they not installed something and the certificate validation system is non-functioning? I.E. is no news necessarily good news?

[ikon]

Frustration!

On my XP computer at work double-clicking the cert file to install it worked like a charm. As I posted earlier it allowed me to get to the email server running on my WHS without a cert prompt. Beauty!

However, it didn't work on my win7 computer at home. When I followed whsvet's thorough description I found out that the cert had never been added to the Trusted Root store at all. So, I followed the instructions and added it. It installed and now I can see it. Problem solved, right? Wrong! I still get the cert prompt. Nuts!

Oh well. Maybe 1 day I'll get it fixed.

[ikon]

quick update. I found out that the double-click technique of installing a cert on win7 does add it to the Trusted Root, but not of Computer; rather, of My User. I tried adding the cert to the Trusted Root of each of the 3 options, My User, Service, & Computer, alone and in combination but none of them worked.

[ikon]

I know it's been a while since this thread was updated, but today at work we discovered that the issue seems to involve different versions of IE. Again, at work, when we go to 1 intranet site using IE6 (after installing the cert) it works fine. However, if we go to the same site using IE8 it still gives the security warning page. Stay tuned....