hi all, I have gone through the process of self signing certificates. Aside from the pop-ups about not trusted etc... everything appears to work. For "internal" applications what do people/places do? It would be nice to be seamless and have the "your not trusted" window pop-up. Yet this is not a public web site either. Just internal use. The server might be on the internet but people from the internet are not using it. I presume there is no way to by-pass the certificate signing process - even for internal apps. Is there? Thanks, Jerry
On Mon, Aug 24, 2009 at 9:32 AM, Jerry Geis<geisj at pagestation.com> wrote:> For "internal" applications what do people/places do? > It would be nice to be seamless and have the "your not trusted" window > pop-up. > Yet this is not a public web site either. Just internal use. > The server might be on the internet but people from the internet are not > using it. > > I presume there is no way to by-pass the certificate signing process - > even for internal apps. > Is there? > > Thanks, > > Jerry > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >If you are in a windows domain you can distribute the public certificate of your "signing authority" using active directory. This will prevent IE from showing the untrusted warning. Otherwise you can install the public certificate into the users web browser and any certs you sign will show as trusted. If you can give an idea of what platform/browser I can provide more specifics. Brian
> > If you are in a windows domain you can distribute the public > certificate of your "signing authority" using active directory. This > will prevent IE from showing the untrusted warning. Otherwise you can > install the public certificate into the users web browser and any > certs you sign will show as trusted. > > If you can give an idea of what platform/browser I can provide more specifics.Brian, Just my linux server and IE or firefox clients. I dont see many people connecting - just unknown of something poping up on a users screen that they dont know what to do about. No active directory in use. Jerry
At Mon, 24 Aug 2009 09:32:00 -0400 CentOS mailing list <centos at centos.org> wrote:> > hi all, > > I have gone through the process of self signing certificates. > Aside from the pop-ups about not trusted etc... everything appears to work. > > For "internal" applications what do people/places do? > It would be nice to be seamless and have the "your not trusted" window > pop-up. > Yet this is not a public web site either. Just internal use. > The server might be on the internet but people from the internet are not > using it. > > I presume there is no way to by-pass the certificate signing process - > even for internal apps. > Is there?I think you need to set yourself up as a certificate authority and have the people (clients) on the intranet import your certificate authority (CA) into their browsers and E-Mail clients. Once that it done, you use your certificate authority thing to sign your cert(s). Since you are a "certificate authority" as far as the web browser is concerned, all of the cert(s) you sign with your "certificate authority" are trusted. (I don't know exactly how to do this, just know what the admins in the UMass CS Dept. set up for internal https and imaps servers.)> > Thanks, > > Jerry > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >-- Robert Heller -- 978-544-6933 Deepwoods Software -- Download the Model Railroad System http://www.deepsoft.com/ -- Binaries for Linux and MS-Windows heller at deepsoft.com -- http://www.deepsoft.com/ModelRailroadSystem/
one time you talk about applications, one time about web site. It's also not clear what you actually want to achieve. So, what is the exact question/problem? Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
----- Original Message ----> From: Jerry Geis <geisj at pagestation.com> > To: CentOS ML <centos at centos.org> > Sent: Monday, 24 August, 2009 14:32:00 > Subject: [CentOS] self signing certificates > > hi all, > > I have gone through the process of self signing certificates. > Aside from the pop-ups about not trusted etc... everything appears to work. > > For "internal" applications what do people/places do? > It would be nice to be seamless and have the "your not trusted" window > pop-up. > Yet this is not a public web site either. Just internal use. > The server might be on the internet but people from the internet are not > using it. > > I presume there is no way to by-pass the certificate signing process - > even for internal apps. > Is there? > > Thanks, > > Jerry > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosA trusted certs can be bought for as little as ?12 ($19) a year, so for me, its cheaper (in time) and less effort to buy a real certificate and find that everything 'just works'. http://www.trustico.co.uk/products/rapidssl/cheap-rapidssl-ssl-certificate.php No affiliation.
> From: Jerry Geis <geisj at pagestation.com> > To: CentOS ML <centos at centos.org> > Sent: Monday, 24 August, 2009 14:32:00 > Subject: [CentOS] self signing certificates > > hi all, > > I have gone through the process of self signing certificates. > Aside from the pop-ups about not trusted etc... everything > appears to work. > > For "internal" applications what do people/places do? > It would be nice to be seamless and have the "your not trusted" > window pop-up. >As someone else previously detailed, you really need to have a root signing CA that only signs certs for your issuing CAs and then use the issuing CAs to sign end use certificates of whatever types you deem appropriate. It is considered required practice that root CA and issuing CAs must be physically isolated from all network connections and that floppy or sneaker net must be used to handle incoming CSR and outgoing CERTS. If you are simply using certs for encryption and not for authentication then this practice probably can be safely dispensed with. If you ARE using certs for authentication then this provision is absolutely required. The arrangement of self-signed root CA <--CSR--- Issuing CA <--CSR--- end-user is now critical for Firefox users. Releases in the 3.x series will no longer trust any self-signed CA certificate. So, to avoid the warning box in Firefox you must have the end use certificates signed by an intermediate CA whose own certificate may however be signed by a self-signed root.> Yet this is not a public web site either. Just internal use. > The server might be on the internet but people from the internet > are not using it. >Well, the available software has no way of figuring that out for itself, so it makes no difference. And, to be precise, "people from the internet should not be using it", which is rather a different thing.> I presume there is no way to by-pass the certificate signing > process - even for internal apps. > Is there? >Not unless you can live with the warning boxes. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Jerry Geis <geisj at pagestation.com> wrote:>>Was just trying to find a way so that users that "dont know" what this box is that is poping up wont even see the box. << Can't you install your own root certificate into the internal client browsers? The book "Network Security Hacks" (Andrew Lockhart, O'Reilly) gives a procedure for doing this (p. 112). You generate a .der file from the cacert.pem file, add a new mime type in the Apache config and then make the pem and der files available on your server. The users can now install the new root cert by just clicking on a link. (Sorry if this has already been covered - I wasn't paying attention to the earlier discussion). Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144
Keith Keller <kkeller at speakeasy.net> wrote:>>If you're going to go through that much trouble << Although I didn't quote the entire process here (copyright, time, etc.) it's only one command, the adding of one line to the Apache httpd.conf, (probably) scp'ing the files onto the server and providing a link on a page somewhere. Oh, and reloading Apache. 5 mins, tops. If you're a slow typist. But I must admit, I've not bothered to do it myself. One of these days. . . Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144