none
Windows 8 SSL certificate issues RRS feed

  • Question

  • Hello, I work at a school where we use a filter program called BlueCoat this filter allows us to filter both http and https traffic. In order to accomplish this we are required to create an SSL certificate and install in on all our local machines. Without this certificate on the local machine the user is unable to use any SSL traffic. In Windows 7 and earlier installing the certificate in the Trusted Root Certification Authorities through internet explorer allowed the entire system to use that installed certificate. In Windows 8 installing the certificate this way only installs the certificate for Internet explorer. Programs like the Windows Modern UI applications and Windows Update will not work because they are not seeing the SSL certificate. Is there someway to install the SSL certificate so the entire system can use it?

    Thursday, October 11, 2012 10:12 PM

All replies

  • You may reset IE settings and see the results. 

    How do you deploy the certificates? Make sure that the certificates will be installed to Trust Root store. If you are using Web enrollment service, you may see:

    http://social.technet.microsoft.com/wiki/contents/articles/you-cannot-download-ca-certificate-from-web-enrollment-pages.aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

    Monday, October 15, 2012 8:16 AM
    Moderator
  • Resetting IE settings doesn't do anything. We deploy all of our certificates through start-up scripts for domain enabled computers, but our Windows 8 machines are test machines so we make sure the certificate is applied manually. (opening up the certificate and manually putting it in the trusted root store.) All of our Windows 7 machines work fine with our certificates and the internet browsers in Windows 8 work fine, even legacy programs work the way they are supposed to. It seems that all the modern UI apps and Windows update are what we are currently having issues with in regard to the certificate. I am wondering if its just an issue with how windows 8 manages certificates within the new interface (Android as an operating system has the same issues on our network, but Macs and iOS work fine) If that is true the question then becomes is there a work around, will it get fixed, and is Microsoft even aware of it?
    Monday, October 15, 2012 8:21 PM
  • Have you tried rolling it out using (domain) group policy?

    The key you'd want is:

    Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities

    Open that key in Group Policy management Editor, Right click the right hand window, select Import, then give it your certificate.

    If you only want this to apply to Windows 8 Computers, rather than move them to a test Active Directery Orginisational Unit, you can apply a WMI Filter to detect Windows 8:

    namespace:

    root\CIMV2

    Query:

    select * from Win32_OperatingSystem where Version like "6.2%" and ProductType="1"

    I know the key work in Windows 8 at the Aero desktop level, as I have used it to add the Outlook Web Access Address to a certificate chain.

    Like you, I’m not sure if Metro Style apps have their own certificate store, but I do know they run with very limited privileges. As this Group policy would apply at the computer level, rather than user level, you may have better success than manually dropping it into the trusted root CA.

    Monday, October 15, 2012 9:51 PM
  • We have tried manually loading the certificate into the computer through the group policy editor on the local machine without luck, I am not sure if that would be the same thing or not. We will try that tomorrow. If it does work that brings up another issue. Being a school we deal with computers that will be connecting to our network without being on the domain. We require them to install the certificate themselves in order to connect to the internet through a gateway (bluesocket). If the solution you provided works (which I am assuming that it would work the same as the local Group Policy editor so it probably won't) it will not work for our students who are going to be the ones using Metro UI applications. The big issue for our local computers is windows update, as our domain users will probably not be using much if any of the Metro UI (if we even make it available.) Again the way we are currently installing the certificate in windows 8 allows the legacy apps/desktop applications to work under all users. I can also confirm that when I open up the local group policy editor and view the trusted root certificate folder for the computer our certificate is there, so it is getting installed into the trusted root folder correctly and Windows modern UI applications and windows 8 still do not work unless we turn off SSL filtering on our blue coat filter (which isn't a legitimate option for long term use)
    Monday, October 15, 2012 11:30 PM
  • Hi, Nicholas.

    I'm inclined to agree with you - As long as you can see the current certificate in the local Group Policy editor under computer and not user settings, I don't think this fix would apply.

    Just as a sanity Check (Not sure what login code you’re using to add this, so…) - If you click start, run, certlm.msc, then expand Trusted Root Certification Authorities, can you a) See your certificate in there? B) It has a valid expiration date?

    If you repeat that for certmgr.msc, you can ensure both the machine and the user have the certificate available, but I can’t find any Metro apps to test against selfsinged certs for definite (Firefox Elm is still prompting it’s untrusted, but that could be an Alpha Fx issue)

    Sure you've already done all the searching, but just in case...

    Found this: http://superuser.com/questions/464314/how-to-connect-windows-8-mail-calendar-and-people-to-exchange-server which describes the problem you're seeing - Metro Apps not checking the Aero certificate store, but no answers. Likewise with this: http://social.msdn.microsoft.com/Forums/en/winappswithcsharp/thread/bebc4a23-fc8b-457c-8451-f82176a37f06

    Most of the searches are cluttered up with developer questions, about coding in certificates (Such as http://social.msdn.microsoft.com/Forums/en-US/winappswithcsharp/thread/0ae9b413-62de-438f-aedb-625d745c602a), which doesn’t help you.

    Don't think I can help much more - I can't find any documentation confirming or denying Metro UI supports this.

    I know that can be a pain to set up, and have a cost attached, but if you can’t find any answers; it may be easier to get an externally signed certificate set up to get a full chain.




    • Edited by J Cutter Tuesday, October 16, 2012 12:28 AM line breaks
    Tuesday, October 16, 2012 12:19 AM
  • Yes our certificate is in both of those locations with a valid expiration date. For windows update we have found a work around by putting the host name update.windows.com in the disable SSL interception list. yet as far as host names for anything else that uses SSL within Windows 8, like the Modern UI store or probably any other modern UI app that uses SSL traffic, it still does not work and we can only get IP addresses without host names. Which as you know seem to change all the time. inorder for the work around to work for the Modern UI apps we would need to add any hostname that any app might use to the disable SSL interception list in bluecoat. That would still not be optimal and it would be an awful lot of work even if we had those hostnames (which we don't) It would be much better if Microsoft could just allow the entire PC to use the certificate store.
    Thursday, October 18, 2012 6:54 PM