I always use MMC and prefer it as the best method. With regards Kings
On Wed, Apr 11, 2012 at 5:25 AM, Eugene Pefti <[email protected]>wrote: > Hi Kings,**** > > ** ** > > It has always been a pain in the back making Windows trust “untrusted” > certificates.**** > > I remember I was able to trick Windows to trust the certificate issued by > my own Linux based SSL CA by exporting it to a file (Base 64 encoding) and > then importing it to a local machine certificate store. Open that untrusted > certificate and then select the second tab called “Details”. You’ll “Copy > to File” button at the bottom of the window. Select Base 64 encoded and > save it locally. Then do an import by going to IE properties, Content tab, > Certificates, then select Import and then make sure you import it to > Third-Party Root Certification Authorities container. The net result is you > have to see this certificate in the list of certificates available to the > user who is logged to the Windows box.**** > > Run “mmc” in Windows, in the Console go to File and select “Add/Remove > Snap-in”, click Add and find “Certificates” in the new window. Select “My > user account” in the next window.**** > > In the resulting window expand Certificates for a current user and > navigate to “Third-Party root certificates” -> Certificates. Your newly > imported certificate should be there.**** > > ** ** > > As for your second question I’m only on my way to master NAC L3.**** > > Hope someone will tie these two together ;)**** > > ** ** > > Eugene**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Monday, April 02, 2012 4:52 AM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] Trusting certificates when using ssl or > tls**** > > ** ** > > Hi all > > I am going to present two questions with it's solution. Please comment. > > Question 1 > ======== > > A router has been enrolled to an IOS CA server and the https secure server > should use this certificate using ip http secure-truspoint command for it's > self identity. > > Now from a PC, you are trying connect to the router using https with IE > 6.0. The task is that, I should configure the PC, so that I am not > prompted with a pop up for confirmation the cert > is valid. > > For this I should do three things**** > > 1. Add the certificates hostname in the Hosts file and access the > router using hostname that is in the identity cert.**** > 2. Make sure the clock is set correct and certificate validity period > is valid. ** ** > 3. Install the certificate in the trusted root certificate > authorities. **** > > First two, I have no issues. **** > > For the third one, I installed the router's identity certificate along in > the Windows "Trusted root certificate authorities" and that completed the > solution. **** > > Well the question is instead of installing the identity certificate, if I > install the root certificate of the IOS CA server, the Windows should trust > the idenity certificate presented, right? > But that doesn't happen. Logically, that should also work. **** > > ** ** > > Question 2 > ========**** > > A router should be configured L3 IP NAC. The ACS should not use self > signed certificate rather request a certificate from IOS CA server. Now NAC > L3 IP uses PEAP and thus ACS will be presenting the identity certificate > that it got from the IOS CA server to client for self identity during PEAP > establishment.**** > > The question here, on the client PC for which posture validation is > performed, should I install the identity certificate of CA server or IOS CA > server root certificate or both in Windows "Trusted root certificate" > authorities. **** > > ** ** > > Please the questions are related. **** > > ** ** > > Please provide your comments.**** > > ** ** > > With regards**** > > Kings**** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
