Adding an SSL certificate to IE without user interaction.

Question

A while ago, I set up my company's local (non-internet) client database on my domain server, using Apache and PHP/MySQL.

I recently decided to set it up to use an SSL connection rather than a standard HTTP connection. (I know, I should have from the beginning, but that's another matter).

I've set up my server and my certificate successfully, but due to me being cheap and not paying a "certified" SSL signer, IE pops up an annoying dialog about not being a valid certificate. I've figured out how to add the certificate on a single computer (see: http://www.99main.com/webmail-ssl-ie.shtml), but I have about 10 computers and don't want to install it for each user (I am only on site about 6-7 times a year, and usually not during business hours, so I can't guide each user).

So what I am wondering is how to make it so that IE does not pop up a dialog saying that my certificate isn't signed by a reliable authority, without visiting (physically) each computer. The way I feel is the most promising is importing the certificate using a command line script or reg-hack. Of course, I am welcoming any other method of accomplishing my goal (is there a way to fake a certified signing authority?, etc.)

If that is not possible, is there a way to register the certificate for all accounts on a computer (those that have signed in or not).

Thanks, Brian

Answer 1

In my opinion, it would be cheaper for you to buy a signed cert than script something up to add your certificate to all the trusted computers (in terms of time spent on doing it).

They're a paltry $30/year on GoDaddy...

Answer 2

I agree with Oli - for that price it's a real bargain.

Other than that, there is no way how a website could install the certificate automatically without user intervention. That would kinda defeat the whole purpose of the certificatess, wouldn't it? ;)

You can make all kinds of command-line scripts n' stuff that will import the certificate for the user, but someone will have to run them on that computer anyway.

An alternative would be to provide your users with a link to a step-by-step illustrated manual for installing the certificate.

Answer 3

Should you have the remote access to all on-site computers, with Admin account - you can install certificate on them.

Other than that - IE will always warn about non-signed certificate and any way to remotely disable it would be a seriuous security hole. And faking a certified signing authority needs hacking RSA which seems to be possible but takes a whole lot of time (like centuries).

So: only if you can access all those computers remotely you can make IE stop complaining about your certificate. I believe that all available solutions needs changing configuration (installing certificate, introducing some trusted domain controller which would provide your certificate etc).

Answer 4

Installing the SSL certificate via the Website is definitely not possible and that's a good thing.

If you're PCs are structured in a Domain, then you can probably do this via a Group Policy, 'though.

Answer 5

I've heard about certmgr.exe (but no experience at all)

A related link: http://msdn.microsoft.com/de-de/library/e78byta0(VS.80).aspx

It seems to be part of the software development kit for .NET 3.5. On my system with .NET 3.5 only as runtime, it was not available.