[edit] i just realised i was too vague even i couldn't understand what i said 🙂
so let me explain in detail - this explanation is for apache2 i'm not experienced with IIS.
make sure your server certificates matches the website.
-- meaning the CN part of the server certificate must match the DNS name of the website. to check your certificate using openssl - do this
openssl asn1parse -inform PEM -in filename -noout
this should show you very detailed info about your server certificate + CA certificate
send the "ca" certificate to the user and make sure the users certificate is valid.
-- exactly what it says - send the CA certificate file to the user and keep the CA key (if you are your own CA) in a very safe place
if you have a crl (certificate revocation file) then declare it in the webserver.
-- in apache under the ssl configuration you have to declare the name and path of the crl file -
SSLCARevocationFile ca-bundle.crl
SSLCARevocationPath ..\openssl\certs\crl\
for more info check out the mod_ssl section in apache2 docs
http://httpd.apache.org/docs-2.0/mod/mod_ssl.html
if you dont have a crl file, you can create a new one with openssl -
openssl ca -revoke "bad_crt_file" -keyfile ca_key -cert ca_crt
"bad_crt_file" is the name of a fake file, basically you have to revoke something to create a crl file. then add the file to the apache httpd.conf file with the lines above with sslcarevocation.
if you follow the above steps you should not recieve the popup on the client computer anymore.
good luck
vamsi
