As you all know, for a majority of CA's out there you need to import the root certificate into IE in order for certificates issued by that CA to be trusted. I know a few of the larger CA's (Verisign) are automatically accepted by IE, but I haven't been able to find a list of IE7 Trusted CA's. IE7 now brings up a full error page when you try to access a non-trusted site, which is an issue since a lof of our customers will probably just give up when they see this page. We'd like to get a certificate that is automatically trusted, but we'd like to shop by price and maybe find something a bit cheaper than Verisign. Does anyone know where I can find a list of these trusted CA's?
Root CAs that are part of the Windows Root CA program are automatically downloaded by the client (XP and higher). They aren't included with IE anymore. I'm not sure where to find a list, but most orgs that sell SSL certs chain up to one of the larger roots that are trusted.
Yes, we use them for all of our certificates, however they are not trusted by default, so they've become a liability.
Yeah I don't think the Valicert CA that godaddy uses is in the Windows root program. Although it is include with Windows Mobile 5 apparently. You may have to pay a little more for a cert that chains to a root in the root program.
I'm not sure where a "text" listing is, but if you just open up the "Certificates" MMC Panel (as noted below), you'll see which Root Certificates are stored by XP. Actually, it is. If you open up the "Certificates" MMC on any updated XP box, you'll find "http://www.valcert.com/" as a Trusted Root Certification Authority, stored in the "Certificates - Current User" Certificate Store, with an expiration date of 2019. To quote Godaddy.com: Our root certificate ? the Valicert Class 2 Policy Validation Authority ? is installed in the following browser versions: Internet Explorer 5.01 and higher AOL 5 and higher o Netscape 4.7 and higher Opera 7.5 and higher Safari on Mac OS X 10.3.4 and higher Mozilla (all versions) Firefox (all versions) Konqueror (all versions) Palm OS 6.1 and higher (also Treo 650) BlackBerry OS 4.1 and higher Sony Playstation Portable 2.5 and higher Microsoft Windows Mobile 2005 AKU 2 and higher Sun Java Runtime (JRE) 1.4.2_07 and higher and 1.5.0_02 and higher ACCESS NetFront 3.3 and higher Cingular WAP Gateways (any Cingular phone which uses WAP version 1.X for Web browsing)
We get the error on all IE7 browsers for the godaddy CA, as well as one issued by bulkregister's CA. I spoke with their representative on the phone and he said that it was not part of the trusted CA program. Forgive my ignorance, but can't you choose to trust a certificate authority? (aren't you given the option on an untrusted certificate to trust it?)
Yeah I don't have an XP box handy, but I suspect this was part of IE6. IE7 doesn't bundle any roots, and the certs are downloaded from WU on an as-need basis by the OS. So if it isn't in the Root Program, it won't be on WU. Sure, you can put any root you want in the trusted root store. The problem is that if you are hosting a public site, you typically don't have a way of doing this for everyone that visits your site. But if you are doing this internally, you can use Group Policy to push out root certs to all 2000 and higher domain members. I believe you can also write a CAPICOM script to push it to non-domain members or if you don't have AD. But if you are doing this internally, you could just set up your own CA and save a few bucks.
That was my point, that if it's in someone's IE7 then it was probably imported. I dunno, we're in a fairly niche market and all of our top 5 competitors have the same problem. I'm thinking that we just suck it up, pay for the Verisign or Thawte cert and clean up over the holidays.
One of the XP PCs that I checked for the Valicert CA was inside a "Virtual PC 2004" window. I've never imported Valicert or any other Certs into that virtual machine. Actually, I have IE7 installed in that particular XP virtual machine. Here's Microsoft's Root Certificate Program Members, updated on February 2005. This list includes Valicert. Unless Microsoft changed its mind, it seems Valicert is there. Perhaps it's a problem with Starfield's name, which may be present in Godaddy certs? If anybody's interested in testing with a site that uses a Starfield/Valicert certificate, this web site uses one. This site comes up fine in my XP/IE7 Virtual PC machine. ---------------------------------------------------------- Details of Microsoft's Root Certificate Program. "Change in Root Delivery Process New root certificates are no longer available with Microsoft Internet Explorer. Any new roots accepted by Microsoft are available to Windows XP clients through Windows Update. When a user visits a secure Web site (that is, by using HTTPS), reads a secure e-mail (that is, S/MIME), or downloads an ActiveX control that uses a new root certificate, the Windows XP certificate chain verification software checks the appropriate Windows Update location and downloads the necessary root certificate. To the user, the experience is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically, behind the scenes. New roots will be available to Windows 2000, Windows NT, Windows 95, Windows 98, and Windows Millennium Edition (ME) clients through a Windows Update download file."
