I can\'t understand why, when I accept to \"install\" a custom self signed Root

Question

I can't understand why, when I accept to "install" a custom self signed Root CA on IE browser, the root certificate ends up in the "intermediate CA" section, rather than in "Root CA" section in the browser certificate container (and in Windows certificate manager too, may be both are the same).

Is it a Microsoft strategy, to only display in Root CA section the trusted CA list ? And not allowing the insertion of a "not known" Root CA in this section ?

When using it, I can't see any difference, but there must be an explanation.

Explanation / Answer

These problems often spur out of incorrect certificate usage parameters. Obviously, you need to have CA:TRUE, but the other key usage parameters also need to be correct. If the certificate usage parameters are incorrect, chances are that windows autodetect this certificate as a intermediate CA.

If there is the smallest disprecancy between the signer and subject of the certificate (so its no longer really orthodox "self-signed"), then it will be taken as a intermediate certificate.

You can install this as a Intermediate certificate. Go then in the certificate path and check if windows Thinks this certificate is signed by a Another CA. If windows misdetect the certificate as intermediate, you should see a top certificate that is present with a X above your certificate because windows do not know about this certificate.

If you still want to install this as a real root certificate, you can manually override the certificate placement by unchecking the box "Let windows choose a suitable store for this certificate" and then manually selecting "root CA".

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.