0

There is client C# application deployed on server A. That application communicates with server B where ActiveMQ is running and uses SSL protocol. Certificates imported on server A and server B (both certs into Current User store: client cert into personal folder and server cert into Cert Authority).

Running application directly from machine A courses no problem. But for real work, user has to run C# application from machine C using shared folder on server A. In such case, connection cannot be established. If I do import cert on machine C, it works fine.

Does it mean, I have to import cert on each user machines? Or put certificates on server A into Local Computer folder?

Vitaliy
  • 28
  • 5

1 Answers1

0

You will need to have the certificate imported locally as sharing a certificate using some shared storage or the like would not provide an adequate level of security for the OS to treat that as a trusted store. That is the cost of using SSL, the trusted certificates need to be available in a trusted location.

Tim Bish
  • 17,475
  • 4
  • 32
  • 42
  • So, anyway I have to import certs on all users machines, right? Can you please specify how to import certificate locally as sharing a certificate using some shared storage? I tested: copied certs in subfolder of application shared folder (where user runs application from) and imported certs into cert storage on client machine using MMC. Is it what you propose? – Vitaliy Oct 17 '19 at 15:29
  • I think you misunderstood what Tim said. He's saying you should import the certs on all users machines because sharing them via shared storage won't work. You said yourself that if you import the cert on machine C it works fine. You simply need to do that for all the relevant clients. – Justin Bertram Oct 17 '19 at 15:44
  • What I described in my test exactly means I imported certs on the user machine. But it's not what I would like to do. Problem is that my application works as add-on to application client use from another company and I use certificates of that company. Replication of certificates on let say 50-100 machines is not really what client expects. That's why I am looking for better solution – Vitaliy Oct 17 '19 at 15:57
  • I guess the only simple solution would be to sign your broker Certificates with a trusted Root CA that is already supplied in the OS's trusted CA store. If you are using your own root CA then you'd have to make it available to all the machines. – Tim Bish Oct 17 '19 at 16:08