Hello
Can someone please help me with the following questions, thanks in advance.
We have an AD Domain (Windows 2003 R2 SP2) with have a Domain Controller running Microsoft Certificate Services 'Enterprise CA'
We have a WEB site on another Windows Server in the same domain. This WEB site on this Server has some code written by one of your internal software engineers.
When a user on the network goes to the web page in question the code is executed, a popup warning is then displayed stating “Publisher: Unknown” do you want to trust this code.
All the desktop computers in the company have a copy of our internal CA in the Trusted Root Certificate Authority store.
So the engineer (Jo Blogs) requested a Code Signing certificate from the CA, and signed the code using this certificate. Now when the user goes to the WEB page they get a different message “Publisher: Job Blogs” do you want to trust this code.
Next If we then take Jo’s code signing cert and install it into the “Trusted Publishers” store on the desktop computer, when the user goes to the WEB page no more popup warnings and the page works as expected.
Here are my questions (thanks)
1: As the code signing cert was issued by our internal CA and the Root certificate for the CA is in the Trusted Root Certificate Authority store on the Desktops computer. I would have thought that IE on the desktop computer would say OK this code was signed by a CA which I trust and therefore I trust the cert and will not need to popup a warning message.
2: As above we installed Jo Blogs code signing cert in the “Trusted Publishers” store, my concern is someone with admin rights could export the cert, and then use it to sign more code thereby pretending the code is from Jo Blogs when in fact it is not.
I would point out then when Jo requested a code signing cert he did this by going to the certificate services web site on the CA e.g. hppt://CA-Server/certsrv
3: rather than signing the code at all is can we add the WEB site URL orhttp://WEB-Server/* to trusted sites, or similar within IE itself, meaning any code that requests execution as long as it comes from an approved URL do not prompt user for approval
I would be very grateful if someone could answer/clarify the above points for me please.
Thanks all in advance
JoB333x1!