I have a Server 2003 server with IIS running. We have outside, anonymous people viewing web pages. We would like to secure one page. I installed Certificate Services as a stand alone root CA. I then installed a certificate on the default website per knowledge base instructions (requested a certificate, which creates a certreq.txt file, go to the certsrv website, submit a request using base64 encoded PKCS #7 file, downloaded and installed the certificate, completed the request in IIS, then secured the page I wanted). The client then goes to the certsrv page, requests a web browser cert, and installs it. However, when going to the secure page they still get "Security certificate presented by this website was not issued by a trusted certificate authority" message. They can continue but get the bright red bar at the top. What am I doing wrong? I've tried installing the certificate in every store on the client machine (except the not trusted store). I made the certificate, assigned it to the web site, the client gets a certificate from my website but it's still not trusted when visiting.

1) Outside anonymous people will never trust your CA... Period. If you need to extend trust to outside anonymous people, then purchase an SSL certificate from godaddy.com, they are probably the cheapest out there.2) If you persist in using a private CA to issue the certificate. a) The CA certificate must be placed in the trusted root store of *every* client computer that will connect (not just the testing computer or the Web server, every computer)b) The certificate should be installed as a .p7b file at the Web server so that the entire certificate chain is isntalledc) Clean up the stores, putting it in "every store on the client machine" messes things upBrian

That is what I did, I installed the CA certificate in the trusted root store of the client's machine. I still get that it's not trusted.

The user's trusted root store or the machine's trusted root store.Also, that is not what I read. You stated, I installed it in every store except the non-trusted store Brian

Maybe a silly remark, but what "url" are you using to access the website?A certificate can be marked as "not trusted" if it's* expired (date-wise)* issued by a CA that is not trusted* issued to a common name other than the one your visitingHope I don't forget any So as an example if you issued the certificate to "website.domain.tld" but you visit it by using the hostname of the webserver or simply the IP you will get the warning...