Sunday, May 19, 2019

windows 7 - Trouble with certificate checking on a closed network

I'm managing a Active Directory domain with about a hundred Windows 7 clients running IE9. The network does not have access to the Internet, but do have the ability to access a vendor web application. The web app uses HTTPS and the vendor's certificates are from Entrust. I'm trying to figure out how to add the certificates to Active Directory so that all clients will receive the certificates and stop warning or outright blocking access to the application. Nothing I have tried has worked.



  1. Accepting the certificates via the browser's red shield in the address bar hasn't worked. In fact, If I view the certificate and look at the path, it says it is valid, but still warns on some clients and blocks on others.


  2. I tried importing the certificates into the browser by going into Tools-Options-Content-Certificates, but that hasn't helped either. I can see the current certificates installed, but browser behavior is unchanged.


  3. Last but not least, I've added the certificates to the domain group policy under Computer Configuration - Policies - Windows Settings - Security Settings - Public Key Policies - Trusted Root Certification Authorities.



I'm losing my mind on this issue. I know the certs are good because I've installed them in the browsers for our Linux workstations without any issue. It is only the Windows hosts that will not seem to accept them. I'm wondering if the issue might have something to do with the PCs being unable to double check the certs over the Internet. I simply would like all of the domain PCs to accept the certs provided by the domain and leave it at that. I don't want to disable certificate checking completely, but I'm getting close.


Also, would setting up a certificate authority on the LAN help or just add unnecessary complexity?

No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...