1

I'm a bit new with certificates and have been unable to find an answer on this.

We need to place controls around an application that is accessed via URL, we have moved the URL to citrix, but the certificate is not trusted so it shows the "not secure" icon.

I was asked to generate a CSR file so that we can add the certificate to our store, but it's not our web server.

So, my question is:

  1. Even though our store does not trust the certificate, does it still enable secure communication?
  2. Is there a way for us to import this certificate to our store to trust it?

Thank you!

CLARIFICATION: I am familiar with generating CSR files and everything else that comes with it. Originally we thought this web server was ours, but it is not. It is owned by the company we send files to. Due to the nature of what gets sent there are security controls, such as ensuring data being sent is encrypted and was not tampered with. It leaves our side goes through a PI server then out to this web server. My question is, because this company self signed their cert and we cannot add it to our trusted domain does a secure connection still get established between browser-server?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
mks5251
  • 11
  • 1
  • We don't have enough information to provide an answer for these questions. How the application's trust store works? Which certificate do you want make the "store to trust it"? It seems the problem is that the certificate is not signed by a valid CA. – Filipe dos Santos Jan 29 '19 at 15:34
  • I can confirm that the certificate does not come from a trusted CA - it looks like it was something created by this company internally. – mks5251 Jan 29 '19 at 15:53
  • 1
    Given your clarifying comment, I think your question boils down to _"What are the risks of using a self-signed certificate for HTTPS"_. There are already a number of good answers on this site; in particular, I think Thomas Pornin directly answers your question [in this answer](https://security.stackexchange.com/a/34023/61443). – Mike Ounsworth Jan 30 '19 at 15:08

1 Answers1

1

My understanding is that you have been asked to generate a CSR for this server.

My advice would be to look at the documentation that came with the server / application; they often come with utilities / tools / instructions for generating CSRs.

Barring that, you can always generate a CSR manually. Google "how to generate a csr on ____" where you replace "_____" with the server stack that it is running, for example "how to generate a csr on iis 8" or "... nginx centos", or wtv.

Note that you will need direct access to the server to do this -- RDP (if Windows) or SSH (if linux). You say "but it's not our web server", which would definitely make things more complicated -- the point of a certificate is to prove ownership of the server, which is hard to do if it's not yours.

As for your actual questions, I don't really understand:

  1. Even though our store does not trust the certificate, does it still enable secure communication?

Probably not. I'm not sure what "our store" means, but the security of TLS comes from the fact that the client (usually a browser) trusts the CA that issued the cert.

You need to generate a CSR and get a certificate from a Certificate Authority that your clients will trust (ie a public CA if this is a public site, or a corporate CA if this is an internal site).

  1. Is there a way for us to import this certificate to our store to trust it?

Yes. How to do that will depend on what "our store" is.

Google "____ import certificate into trust store", where "_____" is the name of the application or OS that you are trying to import it into. Note that you usually import the root CA cert, not the server's cert.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Thanks. I am familiar with generating CSR files and everything else that comes with it. Originally we thought this web server was ours, but it is not. It is owned by the company we send files to. Due to the nature of what gets sent there are security controls, such as ensuring data being sent is encrypted and was not tampered with. It leaves our side goes through a PI server then out to this web server. My question is, because this company self signed their cert and we cannot add it to our trusted domain does a secure connection still get established between browser-server? – mks5251 Jan 30 '19 at 14:16