From: lanephil("at" sign")well.com (Phil Lane)
Date: 28 August 2003
Newsgroups: microsoft.public.mac.explorer
Subject: adding trusted CA certificates in IE 5.1.7 for Mac OS 8.x-9.x
NNTP-Posting-Host: 67.125.232.59
Message-ID:

Hello all

After wrestling with this problem I've discovered a number of fixes
which I thought I'd share with y'all.

Problem: Microsoft Internet Explorer for Macintosh fails to establish
a secure connection to an https:// site, for example for online banking,
and provides an error message: "Unable to establish a secure
connection to 'https://online.wellsfargo.com/' [or other site]. There is
a problem with the security certificate from that site (The identity
certificate issuer is unknown.)"

My software: Microsoft Internet Explorer, version 5.1.7, for Macintosh
O.S. 8.x-9.x. MSIEv5.1.7 is the most recent release as of this
posting (8/28/03), was released on 7/3/2003, and is available at:
http://download.microsoft.com/download/6/d/e/6dec427f-2ddc-
4146-8d15-6d5f90668425/InternetExplorer517EN.hqx
or (2/2/2004, according to the kind email from Whitfield Jack) perhaps at:
http://www.microsoft.com/downloads/results.aspx?productID=5A8BB164-
5FC3-4BE5-95BB-BA73EEED1CA6&freetext=5.1.7&DisplayLang=en
Oh, by the way, this note added 2/2/04, I've been getting some nice
"thank you" emails, it's nice to know this gobbledegook has proved
useful. You wanna see the emails? Click here.
OK, to continue: I'm running MSIEv5.1.7
on a Powerbook 3400 with Mac OS 8.6, which originally
came with MSIEv4.0.1 installed by Apple.

Details of problem: unlike Netscape browsers, IE on Macintosh
does not provide an easy way to install new security certificates. When
you visit a secure site, IE checks the site-provided site certificate, and
also checks the issuer of the site security certificate, the so-called
"trusted Certificate Authority" or CA, against an internal list. If the
issuer of the site certificate is not in IE's list of trusted CAs, it rejects
the site certificate and issues the warning above. At this stage,
the Netscape browser allows a user to manually examine, and
choose to install, the issuer "trusted CA" certificate, into that
internal list; IE does not immediately provide this option. Many
net postings, therefore, complain that there is "no way" to add
a new trusted CA into IE's internal list. This is not correct; it
can be done, it's just difficult.

Solution (#1): first, when IEv5.1.7 is installed over a prior version
of IE, it appears to by default use the list of trusted CAs from the
prior version. (Microsoft, you might want to change that default...).
So, the first thing to try, is to reset IEv5.1.7 to use its own (updated)
list of trusted CAs. Click EDIT, PREFERENCES, WEB BROWSER,
SECURITY. The current list of trusted CAs is shown in the
box labelled Certificate Authorities. In my case, these were apparently
from IEv4.0.1, had been stored probably somewhere in the
System/MS Preference Panels area, and had been accessed
by the new IEv5.1.7. Note down these CAs, and have a look at them;
in my case many were expired. Now click the button Reset To
Defaults. This (I'm pretty sure) tells IEv5.1.7 to use its own
(much updated) list of trusted CAs. Now examine the list;
in my case there are many more CAs, and all are current. Click
OK to close the Preferences window, and now try to establish
a secure https:// connection; should work ok.

But if it doesn't...

Solution (#2): Find out what trusted CA is the issuer of the site
security certificate for the https:// secure site you're trying to visit.
(In netscape, you can click on the lower left hand padlock icon
in a secured connection window. You get a Security Info window;
click on View Certificate. In the case of Wells Fargo Bank, the
site certificate is owned by Wells Fargo, and the trusted CA
which issued the certificate is Verisign. So, you need to install
a trusted CA certificate from Verisign into your IEv5.1.7 list of
trusted CAs. Do web searchs (i.e. google) on ".der verisign",
".crt verisign", and ".cer verisign" to find someone, maybe
Verisign itself, which has posted the necessary "public key"
certificate on the web. Now from IEv5.1.7, click on the link you've
located. If all goes right, IEv5.1.7 will start up a trusted CA
installation wizard which begins: "You have been sent a
Certificate Authority. Because of the critical role these have
in security, it is strongly recommended that you read this text
before proceeding." Read it, click on View Certificate Authority,
examine it, checkmark the two boxes, and click ACCEPT.
IEv5.1.7 will then install this certificate as a new trusted CA.

Note that as far as I have been able to determine this is not
documented in IEv5.1.7 help files or in the Microsoft website.

Now, in fact, I did not need to install the Verisign certificate. However,
I *did* successfully install new certificates from Equifax/Geotrust, GTE,
and Globalsign, as follows:

Globalsign: go to http://secure.globalsign.net/cacert/ and click
on root.crt - or, just go to http://secure.globalsign.net/cacert/root.crt -
and this will install the Globalsign trusted CA certificate.

GTE Cybertrust: as far as I can figure GTE hasn't posted such
a file, but someone else has: go to
http://www.island.net/help/kb/files/ and click on gte.crt - or,
just go to http://www.island.net/help/kb/files/gte.crt - and this will
start the installer wizard.

Equifax/Geotrust: they posted a site certificate on their website, at
http://www.geotrust.com/resources/roots/Equifax_Secure_Certificate_Authority.cer,
but it's in the wrong format and fails to install. So, I
emailed them, and they kindly mailed me one in ".der" format,
a small file called ESCAder.cer. I will post this to my website
and it should be available at
http://www.well.com/user/lanephil/ESCAder.cer.
Or you can email them also; maybe they'll get around to posting
this one, too, on their website.

Final note, I don't really understand the difference between .crt and
.cer and .der formats. Ah, well.

Conclusion: new trusted CAs (Certificate Authority) certificates may
be installed into Internet Explorer 5 for Macintosh if you work at it.
Whew.