We’ve all encountered the situation where we are using default eDirectory certificates or manually created certificates (e.g., CSR from Microsoft IIS) for Web applications, including Access Manager, Identity Manager User Application or Provisioning, iManager, iMonitor, etc. Usually that is not a problem for admins. But if you start to deploy Web applications to hundreds or thousands of end users while using SSL, Internet Explorer (still the default for Windows) will give annoying warnings about untrusted roots. That, plus the non-trivial procedures for importing a trusted root into Internet Explorer, may discourage some end users to come back, or put doubts into their minds about the validity of their session.
The alternative would be to purchase commercial, non-free (vs. eDirectory certificates) certificates for web servers. These are certificates for which the root is already trusted by Internet Explorer, such as Verisign, for example. But at least for internal or extranet users, it would be nice to be able to use free eDirectory certificates (free, once you own the eDirectory licenses).
The example below illustrates a way to push the eDirectory trusted root into end users’ Internet Explorer Trusted Root stores. It’s done through an unattended script that can be centrally pushed to end users’ Windows desktops, using the method of your choice.
Below is the infamous Security Alert when accessing a web site with SSL.
Figure 1: SSL Security Alert
If you click View Certificate, you can launch the Install Certificate wizard and install the certificate in IE so the warnings go away. However, most end users will get confused at this point, or will wrongly believe that they are being hacked.
Figure 2: Install Certificate wizard
The Certificate Import Wizard is good for those who understand what’s going on, but not for the average end user.
1. Run the Certificate Import wizard.
Figure 3: Certificate Import Wizard
Let’s import the certificate in the store for a test Windows desktop. That is required for our procedure. You can import the certificate in a store of your choice, usually one that does not contain too many certificates so you can trace it later in the registry.
2. Click Next.
Figure 4: Importing the certificate
3. Click Browse and select the Personal/Registry store, for example.
4. Click OK.
Figure 5: Personal/Registry store
5. Click Next.
Figure 6: Importing the certificate in the chosen store.
6. When the Summary screen appears, click Finish.
Figure 7: Summary screen for the Wizard
Now we will run the MMC (Microsoft Management Console) for certificates. This is available on Windows 2000/2003 and XP.
7. From the Start Menu, select Run and enter “mmc”.
8. In the mmc (ConsoleOne), go to File > Add Snap-in to add the certificates snap-ins.
9. Select Certificates, then click Add.
Figure 9: Adding the Certificates snap-in
10. Select “My user account” and click Finish.
11. Repeat this process, selecting the Computer account as well.
Figure 10: My user account
You should be able to see the imported certificates.
Figure 11: Imported certificates
12. Start regedit (Start menu/Run) and look at the certificate in the registry. It should be under HKEY_LOCAL_MACHINE or HKEY_LOCAL_USER, then SOFTWARE\Microsoft\SystemCertificates\My\Certificates.
Figure 12: Certificate in the registry
If you cannot find your certificate, you can try to use the mmc to import a pfx certificate into one of your stores, exported from iManager by either selecting the server certificate in iManager, or the TREE CA object under Security in the tree(export the self-signed certificate). You must include the Private Key and protect it with a password in order to export the eDirectory certificate in pfx mode.
I also found a useful free utility called importpfx from Fermilab at the URL below:
Anyway, once you can see/find your certificate in the registry, you are almost there.
13. Export the registry key for the certificate into a reg file.
Figure 13: Resulting reg file from exporting the registry key for the certificate, opened with a text editor.
14. To get certificates/trusted root to be automatically recognized by Internet Explorer, import them on end users’ workstations to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates.
Figure 14: Importing certs on end-users’ workstations
15. To export a key under AuthRoot into a reg file, copy the registry location and modify your reg file created previously for your certificate to import the certificate under the AuthRoot location.
Figure 15: Copying the registry location and modifying the reg file
The reason for using a reg file to push the certificate into end-users’ IE is that it’s easy to push it centrally to end-users’ workstations through the reg command, without any end-user intervention.
16. Run the reg file as show below:
Figure 16: Using the reg command to import the registry key containing the certificate.
After you push the certificate to your AuthRoot store using the reg command, you can verify that IE has the certificate in the proper location.
17. In Internet Options, select Content and click Certificates.
Figure 17: Verifying that IE has the certificate in the proper location
The certificate should now show up in IE under the Trusted Root Certification Authorities store. If it shows up there, then IE should stop giving you warnings.
Figure 18: Certificate in IE under the Trusted Root Certification Authorities store
Note: If you are working with the Access Manager 3.0 SSL VPN client, you may need to go through the same steps under the Trusted Publishers section for Novell, Inc. This will eliminate pop-ups around the ActiveX control delivered through Internet Explorer for the SSL VPN client.
We just went through one example for simplifying the installation of the certificate/trusted root on end users’ workstations for Internet Explorer. There are other ways to do it, for example through Microsoft IEAK, which requires more work. Being able to do it using a one-line command like “reg import” is something that can prove useful for internal/extranet users, or even for Internet users in some cases.
If you have suggestions, comments, improvements, or other ideas, don’t hesitate to share them with me.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.