Certificates are used for several security-related tasks in
Internet Explorer:
-
Encrypting traffic The most common use for certificates in Internet
Explorer. Many Web sites, especially e-commerce Web sites that
accept credit card numbers, have an SSL certificate installed.
This SSL certificate enables HTTPS communications, which behave
similar to HTTP, but with encryption and authentication. With
standard, unencrypted HTTP, if an attacker has access to the
network, the attacker can read all data transferred to and from
the server. With encrypted HTTPS, an attacker can
capture the traffic, but it will be encrypted and cannot be
decrypted without the server's private certificate. -
Authenticating the server SSL
certificates authenticate the server by allowing the client to verify that the certificate was issued by
a trusted CA and that one of the names in the certificate matches
the host name used to access the site. This helps to prevent
man-in-the-middle attacks, whereby an attacker tricks a client
computer into visiting a malicious server that impersonates the
legitimate server. Web sites on the public Internet typically have
SSL certificates issued by a third-party CA that is trusted by
default in Internet Explorer. Intranet Web sites can use
certificates issued by an internal CA as long as client computers
are configured to trust the internal CA. -
Authenticating the client
Intranet Web sites can issue certificates to clients on their
network and use the client certificates to authenticate internal
Web sites. When using AD DS Group Policy, it is very easy to
distribute client certificates throughout your enterprise.
If Internet Explorer detects a problem with a certificate, it
displays the message, "There is a problem with this website's security
certificate," as shown in Figure 1.
The following list describes common problems that can occur when
using certificates in Internet Explorer and how to troubleshoot them.
-
The security certificate presented by
this Web site was issued for a different Web site's
address In this case, there are several possible
causes:
-
The host name you are using to access the Web site is
not the Web site's primary address. For example, you might be
attempting to access the Web site by Internet Protocol (IP)
address. Alternatively, you might be accessing an alternative
host name, such as "constoso.com" instead of
"www.contoso.com."
Note
SUBJECT ALTERNATIVE
NAMES
Historically, SSL certificates
have specified the host name for which they are valid by
using the Common Name field. For example, you might specify
www.contoso.com
as the Common Name for your Web site certificate. However,
if a user accessed the same site using the host name www.contoso.com, the
browser would return an error.
Since about 2003, most popular
browsers have supported SSL certificates with Subject Alternative Names (SANs). SANs are
host names for which an SSL certificate is valid. For
example, you could create an SSL certificate with a SAN list
and allow users to access a single Web server using either
www.contoso.com
or www.contoso.com.
You can view a certificate's SAN
list by visiting the site using HTTPS and clicking the
padlock icon in the address bar of Internet Explorer. Click
View Certificates, and then click the Details tab. Select
the Subject Alternative Name field to view every host name
for which the certificate is valid.
-
The server administrator made a mistake. For example,
the administrator might have mistyped the server's host name
when requesting the certificate or the administrator might
have installed the wrong certificate on the server. -
The server is impersonating a server with a different
host name. For example, an attacker might have set up a Web
site to impersonate www.fabrikam.com.
However, the attacker is using a different SSL certificate on
the Web site. Earlier versions of Internet Explorer show a
less intimidating error message, so many users might have
bypassed the error and continued to the malicious site.
-
The certificate has expired
Certificates have a limited lifespan—usually one to five years. If
the certificate has expired, the server administrator should
request an updated certificate and apply it to the
server. -
Internet Explorer is not configured to
trust the certificate authority Anyone, including
attackers, can create a CA and issue certificates. Therefore,
Internet Explorer does not trust all CAs by default. Instead,
Internet Explorer trusts only a handful of public CAs. If the
certificate was issued by an untrusted CA and the Web site is on
the public Internet, the server administrator should acquire a
certificate from a trusted CA. If the Web site is on your
intranet, a client administrator should configure Internet
Explorer to trust the issuing CA. In AD DS domains, member
computers automatically trust enterprise CAs. For more
information, complete the exercises at the end of this
lesson.
|
