How intermediate Certificates work with CE Web server and SSL

I am having some difficulties trying to get some aspects of the CE
web server working with SSL. For the most part, the web server works
with SSL, but when a different set of certs are used, things do not
work as planned. This is on a headless device configured via our http
interface. I will try to explain below.

1. Load CertA with private key into the MY store. Note: this for some
reason is not loading the root for CertA
2. The operator of the device has his own certificate - CertB. Add the
CertB root CA to the ROOT.
3. Add the operator via NTLM API. While adding this user have user
enter his personal CertB serial number. This, together with the CertB
root are used to set up the SSL user.

At this point, looking at all the certificates, we have:
MY - CertA
ROOT - CertB-root

4. Reboot the device so everything is in SSL mode
5. add the CertB pfx in internet Explorer.

At this point, looking at all the certificates in IE:
Personal - CertB
Trusted Root Certification Authorities - CertB-root

6. Go to the device web page - The device sends certA to IE (prompts
you)
7. IE asks what cert you want to use. Select CertB.
8. You get on the devices web page, and everything works great!!

Here is where things are getting confusing. I decide to add a third
user with CertC. Now CertC is a little different that the previous,
because it has an intermediate root, and a root CA.

9. Add CertC-Intermediate to the ROOT
10. Add a new user with the serial number of CertC. This gets put in
the SSL registry settings along with the new ROOT
11. In IE, I install CertC, which puts in the cert, intermediate
authority, and Trusted root Authority.
12. Go to the device web page - The device sends certA to IE (prompts
you)
13. IE asks what cert you want to use. Select CertC.
14. You get a not authorized to view page.

When putting breakpoints in our code, nothing on our side is getting
hit, so it seems that this is completely on the WebServer/IE side of
things. We have tried putting the Intermediate and root of CertC in
the ROOT on the device, to no avail. What could be causing this. I
know it is quite confusing to read, but I hope someone knows.

Tom




.

Relevant Pages

  • Re: Clientzertifikat
    ... Besonders sicher sind self-signed Zertifikate zwar nicht, ... create a "Root" certificate that can sign the SSL certificates. ... "Root" certificate has been created, you can create as many "End-entity" ... Make makecert.exe available to the computer where you want to create ...
    (microsoft.public.de.security.netzwerk.sicherheit)
  • Re: Outlook 2003 - RPC over HTTP
    ... > to connect to my exchance server without needing to VPN in. ... > I need a SSL certificate and we plan to use our own CA to issue the ... > certificates and therefore, I have installed certificate services on the ... > install a copy of the Root CA certificate on your machines. ...
    (microsoft.public.outlook.general)
  • Re: Configuring a certificate server across different forests
    ... I either can't browse the AD via SSL when I can do it fine over port ... different forests I can't get them to trust each other. ... >> subs with no luck. ... And I tried switching the root and subs between the ...
    (microsoft.public.win2000.security)
  • Re: On Open Source
    ... > server certificate against root certificates when used for client side ... Client side authentication of the remote host identity is THE ... I put them side by side and make SSL keys. ...
    (sci.crypt)