Board index Unix Web Servers

pb with self-signed certificate and certificate installation within IE browser

pb with self-signed certificate and certificate installation within IE browser

Post by Marc-Olivier BERNA » Fri, 23 May 2003 22:14:51



Hi there,

I carefully read and apply the instructions from

http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html

to create a create a self-signed CA certificate on my linux machine
(redhat 7.3,
apache-1.3.27-2, mod_ssl-2.8.12-2).

The mozilla client could store that certificate in order to reuse it
the next time the URL is visited, but with IE(6) :
* I can install the certificate with importation wizard within the
certificate store
* I can find the certificate in the certificate store but it is
mentionned that Windows don't have enough information to validate the
certificate ?
* When exiting IE and launch it again, IE could not (of course) use
that certificate ?

I could not find any information on the subject.

Any idea ?

 
 
 
Top

pb with self-signed certificate and certificate installation within IE browser

Post by Paul Rubi » Fri, 23 May 2003 22:40:47


What I've found is you have to create an actual CA certificate with
the CA.pl script included with openssl, then sign a server cert with
it.  You can then import the CA cert into your browser and after
that the browser should recognize any certs signed with it.

 
 
 
Top

pb with self-signed certificate and certificate installation within IE browser

Post by Andre » Sat, 24 May 2003 22:30:14


Hi everybody,

I have used the method described at http://ww.apache-ssl.org and it worked,
but I still have problems creating, and / or importing 'client certificates'
!

Regards

Quote:> Hi there,

> I carefully read and apply the instructions from

> http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html

> to create a create a self-signed CA certificate on my linux machine
> (redhat 7.3,
> apache-1.3.27-2, mod_ssl-2.8.12-2).

> The mozilla client could store that certificate in order to reuse it
> the next time the URL is visited, but with IE(6) :
> * I can install the certificate with importation wizard within the
> certificate store
> * I can find the certificate in the certificate store but it is
> mentionned that Windows don't have enough information to validate the
> certificate ?
> * When exiting IE and launch it again, IE could not (of course) use
> that certificate ?

> I could not find any information on the subject.

> Any idea ?

 
 
 
Top

pb with self-signed certificate and certificate installation within IE browser

Post by Paul Rubi » Sun, 25 May 2003 11:26:31



> Hi everybody,

> I have used the method described at http://ww.apache-ssl.org and it worked,
> but I still have problems creating, and / or importing 'client certificates'
> !

If you mean client certificates from a browser, doing that complicated
and browser specific.  If you mean from some OpenSSL client app, it's
straightforward.
 
 
 
Top

pb with self-signed certificate and certificate installation within IE browser

Post by Andre » Wed, 28 May 2003 18:23:56


I indeed meant the 'browser' certificate.

Regards


> > Hi everybody,

> > I have used the method described at http://ww.apache-ssl.org and it
worked,
> > but I still have problems creating, and / or importing 'client
certificates'
> > !

> If you mean client certificates from a browser, doing that complicated
> and browser specific.  If you mean from some OpenSSL client app, it's
> straightforward.

 
 
 
Top

pb with self-signed certificate and certificate installation within IE browser

Post by Paul Rubi » Sat, 31 May 2003 07:08:18



> I indeed meant the 'browser' certificate.

Try pyca.de in that case.
 
 
 
Top

pb with self-signed certificate and certificate installation within IE browser

Post by Marc-Olivier BERNA » Wed, 04 Jun 2003 01:22:01


Thank you for that information. I will try it next.

Marc-Olivier Bernard



> > I indeed meant the 'browser' certificate.

> Try pyca.de in that case.

 
 
 
Top

1. SMTP TSL with own certificates: not self-signed?

Okay, here's the plan: to use my Linux box (running Postfix) as a mail
relay for myself, and only myself (so call me selfish), allowing me to send
mail from my laptop no matter where I am or how I'm hooked up to the
Internet.

In fact I've achieved this already, but not as securely as I would like. At
the moment I'm using TLS over port 25, with only one secure AUTH method
allowed. The settings in Postfix's main.cf are pretty stringent, so I think
I'm fairly well protected against UCE and unwanted mail relaying.

So what, you may ask, is my problem? From what I can tell, if my SASL
username and password can be gleaned (by guess or by brute force) then my
Linux box can be used as a mail relay by the lucky hacker. What I would
like to do is create a client certificate that sists on my laptop, and have
Postfix only relay mail for a certificate with that fingerprint (using
relay_clientcerts in main.cf, I believe). The problem is that I'm far too
cheap to pay VeriSign $50 or more a year for a certificate and, despite
having read until my eyes are sore, I can't figure out how (or if it is
indeed possible) to create a certificae for myself (using more than one
machine?) that both Pine (on the laptop) and Postfix (on the Linux box)
will consider to be trusted and non self-signed (a Pine restriction).

If what I'm asking is impossible, then perhaps there's another way to
achieve what I'm after. I will be greatful for any and all suggestions
(well, okay, the non-flame ones).

Thanks,
-- Robert

2. Toshiba Laptop (500CDT) and mouse

3. Generate a Self-Signed Certificate for LDAP server.

4. HELP: SlackwareV1.1.1 + XFree86 doesn't work with MouseMan cordless

5. create a "correct" self-signed SSL certificate

6. Installing Xterm to boot from Debian 1.3

7. Self Signed Certificates

8. Fix mem= options

9. make a self signed certificate for v4 netscape web server

10. How to make a not-self-signed certificate?

11. openssl, certificate, tomcat, port certificate

12. Certificate Signing Request (CSR) Problem

13. Non-Verisign certificates: problem with older Netscape/IE?


All times are UTC
Board index