Microsoft KB Archive/256099

{|
 * width="100%"|

How to Distribute or Push a Root Certificate Authority Certificate to Clients

 * }

-

The information in this article applies to:


 * Microsoft Internet Information Services version 5.0
 * Microsoft Internet Information Server 4.0
 * Internet Explorer 5.0 (40 bit and 128 bit)

-

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY
If you use Certificate Server to generate a Trusted Root Certificate Authority (CA) certificate for your organization, and you then need to distribute that certificate to your client's browsers, the steps listed in the "More Information" section of this article prevent the client's browser from receiving the following Security Alert message:

The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority.

MORE INFORMATION
Clients usually connect to the certificate server and download the .crt file, which contains the Root CA certificate. After viewing the certificate and installing it, the client uses the wizard to select specific options to install the certificate for the computer. There is no unattended install option for installing a certificate.

To eliminate the need for the above steps, you can create a registry file that contains the certificate information, and then distribute or push that registry file to all client computers. You can distribute the file through e-mail, Microsoft System Management Server, login scripts, and so on.

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

To install the root CA certificate on one client computer, extract the registry key from that computer, and then distribute it to the rest of the clients.

Note: When you install a root CA certificate as a trusted certificate authority on a client computer the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates registry key is added. There are no files copied.

  Install the Root CA certificate on the client. For additional information on how to complete this step, click the article number below to view the article in the Microsoft Knowledge Base: "Q218445 How to Configure Certificate Server for Use with SSL on IIS" View the SHA1 Thumbprint of the certificate you just installed by viewing the certificate and clicking the Details tab. This number will match one of the key values under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates registry key. The SHA1 Thumbprint is found on the "Details" tab of the Root CA certificate, and can be viewed from the browser by clicking the Content tab in the Internet Options dialog box, selection Certificates, and then choosing Trusted Root Certification Authority. Start Registry Editor (Regedt32.exe).  Locate the following key in the registry: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates" Select the key that matches the SHA1 Thumbprint of the root CA certificate, and then click Export on the File menu. A .reg file will be created. You can now deliver or push this file to any client computer to create a new registry key that contains the root CA certificate, so that the client browser no longer receives the Security Alert message.

Additional query words: iis 5

Keywords : kbWinOS2000

Version : winnt:4.0,5.0; :

Platform : winnt

Issue type : kbinfo

Technology :