[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Do we really need a patch for this? - THE OFFICIAL BLOG OF THE SBS DIVA
Mon, Oct 23 2006 0:37 bradley

Do we really need a patch for this?

Okay so when we use IE7 on our self signed certs it gives a warning as it should... and I'm going to (sorry) bring up to the front of the blog again, a comment that was said that why coudn't they come up with a patch for "this" red warning issue since they knew IE 7 was coming out for months and it's been doing this since the beta... but "this"...this red warning that you are using a self signed cert is expected behavior... why do we want to patch something that is warning is to take a second look at the certificate before we trust the site?  Furthermore, when all we have to do is install the certificate... the red stuff in n the URL line goes away.  So this isn't an issue as long as we have installed the certificate in IE's local trusted root certification.  And like how can they patch that for every self signed cert we have out here in SBSland... come on guys... do we need a patch or a wizard for everything?  Especially when it's easy to just install the certificate to our IE trusted root sources in the first place.

Step one go to the RWW web site - see the pink stuff -

Step two - say okay to trusting the site (that "Continue to this web site" part.

Step three - view the Certificate information

Step four - install the certificate

Steps five through whatever - just follow the wizards.



Once you've 'sucked in the certificate, the RWW site no longer is red and this isn't an issue.  You won't get a red URL.

So .... see why I don't think we need a patch for this at all?  Shouldn't we just follow the wizard that's already there?  See how easy it is to fix this issue and it doesn't need any patch at all?  Sometimes I think we need to remember how the Good Witch Glenda told Dorothy she had the power to go home the entire time and not look for a patch to fix everything you know?

(just don't' tell Sandi you didn't read her blog posts about this topic)

Filed under:

# re: Do we really need a patch for this?

Monday, October 23, 2006 6:25 AM by Bill Peng

Hi Susan, I think there's another reason why there won't be a patch. If you use a commercial certificate or a certificate from your own CA (or the certificate does not match the public domain name), these steps will not work (or not necessary). What do you think?

# re: Do we really need a patch for this?

Monday, October 23, 2006 10:41 AM by Alun Jones

If you want to deploy the self-signed certificate as a trusted root across your organisation, you can do that very easily in Group Policy under Computer Configuration / Windows Settings / Security Settings / Public Key Policies/Trusted Root Certification Authorities / Certificates.

# re: Do we really need a patch for this?

Thursday, December 07, 2006 11:21 PM by Matt Ridings - MSR Consulting

I hate to disagree here, but....

You are correct in that we don't need pansy wizards for everything,  You are also correct in that notifying us that the cert is unconfirmed should be expected behavior.

However, it should be noted that in a large number of cases you can install/import the certificate as many times as you like but IE7 will continue to display the red warning bar to the user regarding the certificate.  In addition, users who had already had this same certificate installed on IE6 are getting this warning in IE7.  Why?

The fact is that I *like* the way IE7 throws the warning in your face and keeps it there with self-signed certs instead of in IE7 where it was a simple yes/no dialog box essentially, that looked like every other dialog box you've seen a million times before.  But, and it's a big *BUT*, there should have been tools in place for SBS admins to deploy or override this behavior when it comes to the SBS domain certificates that are self-signed.

Like it or not the issue is not with the SBS admins, we know what the error means and how to deal with it.  Our users/clients on the other hand do not.  And when their 'secure' website is suddenly implying to them that it is *not secure* our phone is going to be ringing.  So give me a way to use a self-signed cert, let me *automate* the behavior of the browser when it comes into contact with it, and fix the issue where the cert being imported is not resolving the red warning bar in IE7.  Then I'll go back to agreeing with everything you say like I have for the last year :)

-Matt

# IE7 and the self signed cert revisited

Friday, December 08, 2006 12:04 AM by E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

http://msmvps.com/blogs/bradley/archive/2006/10/23/Do-we-really-need-a-patch-for-this_3F00_.aspx I'm