Topic: There is a problem with this website's security certificate

[brentonv]

hi again. i was hoping someone could please explain in some detail what this message means and how to avoid it:

There is a problem with this website's security certificate

i have followed the http://wiki.contribs.org/Custom_CA_Certificate how to perfectly however cannot get rid of the warnings.

regards,
brenton

[Confucius]

I suggest to import 1 of the keys into your browser from this page : http://www.cacert.org/index.php?id=3
This will make your browser trust CACert provided trusts. Most browsers don't support it out-of-the-box.

[brentonv]

that worked fine Confucius (although my copy of vista puts up quite a fight when you try to install the root certificate) however i guess i was going down the wrong path. what i really wanted to achieve was a local trust for ie7. the cacert.org certificate verifies multiple domains but not the actual machine. i want to be able to log into my box using either the ip address or the server name and avoid the warning messages and i would prefer to use a certificate than add it as a trusted computer in ie.

would this be what i need to do? http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/nickcritten/howtos/ssl7.htm and if so, would it somehow clash with my cacert.org certificate?

one other concern is that i have read on contribs somewhere that apache stops working when the cacert.org certificate expires. is this true? and if so what would be best practice for keeping it up-to-date. do you have to reinstall a new certificate every 6 months?

so many questions.....
regards,
brenton

[brentonv]

hi. could someone please have another look at this.
regards,
brenton

[mmccarn]

The SSL certificate trust model is based on the concept of I can trust "web site X" because "signing authority Y" says I should.

When connecting via https, a visitor's browser asks for your site's "certificate" and makes 2 checks:
- Does the name listed in the certificate match the name used to access the site?
- Is the certificate "signed" by one of the SSL signing authorities in my list of "Trusted Root Certification Authorities"?

By default Windows has a list of commercial Root Certification Authorities that act as "signing authority Y".  The certificates for these authorities (Verisign, QuoVadis, Microsoft, Go Daddy, Hong Kong Post, and several others) are pre-installed by Microsoft (presumably for a fee).

In the instance of a self-signed certificate, you manually generate an SSL certificate for your website that claims to be signed by your own server - then you must manually add your own server's certificate to all visitors' lists of "Trusted Root Certification Authorities".

In the case of a CA Cert certificate, you work with CA Cert to generate a certificate signed by CA Cert, then manually add CA Cert's certificate to all visitors' lists of "Trusted Root Certification Authorities".

If you buy a certificate from one of the pre-installed Root Authorities that matches your server name, you don't need to do any manual root certificate manipulation because Microsoft has already pre-installed  the certificates for these authorities.

If the name you are using to access your server does not exactly match the name used to generate the server's certificate, visitors will receive an error message no matter who signed your certificate.

If you generate a certificate for server "my.smeserver.com", then try to access it at "https://a.b.c.d", you'll get an error because "a.b.c.d" does not match "my.smeserver.com".  If you try to access it at "www.smeserver.com", you'll get an error for the same reason.

To have a certificate as you want that allows access both by name and IP address without showing any errors you need to build the certificate to support multiple different names.  I know you can build one saying "my.smeserver.com" and "*.smeserver.com", but I don't know how to build one that adds a totally separate name like "a.b.c.d".

To figure out exactly why your browser doesn't like your certificate, browse to your website using IE7, click on the prominent and annoying "Certificate Error" button to the right of the Address, then click "View certificates". The "General" tab will show you the certificate details for the current website - see what it says.

[perelandra]

To have a certificate as you want that allows access both by name and IP address without showing any errors you need to build the certificate to support multiple different names.  I know you can build one saying "my.smeserver.com" and "*.smeserver.com", but I don't know how to build one that adds a totally separate name like "a.b.c.d".

This seems to be (half) an answer to my question in thread http://forums.contribs.org/index.php?topic=39310.0 about Multi Domains Certificates (UCC)

Will they work on an SME-Machine?

Any comments on the subjct are very aprecciated

[raem]

perelandra

If you follow the Howto
http://wiki.contribs.org/Custom_CA_Certificate
it will create a certificate that includes all current domains hosted on your sme server.
I have a cacert certificate that includes 15 hosted domains.

I can't specifically comment on Godaddy, but I assume it would work similarly.

brenton
As mmccarn says, I don't know how or if you can specify IP's as valid domains.

[perelandra]

Thank you very much for your answer, Ray!!

[brentonv]

thankyou very much everyone for your responses. could someone please try to answer my last question

one other concern is that i have read on contribs somewhere that apache stops working when the cacert.org certificate expires. is this true? and if so what would be best practice for keeping it up-to-date. do you have to reinstall a new certificate every 6 months?

because if this is going to create problems for an unmannaged server i would prefer to get rid of the certificate (how would i do this also?)

regards,
brenton

[william_syd]

thankyou very much everyone for your responses. could someone please try to answer my last question

because if this is going to create problems for an unmannaged server i would prefer to get rid of the certificate (how would i do this also?)

regards,
brenton

False.

I just renewed the cert for https://secure.magicwilly.info I was late by one day but things kept ticking along apart from browsers complaining.

[brentonv]

thanks william_syd. i am in melbourne and have always noticed your posts. sme seems very popular is oz. good to here from you. could you please also tell me:

do you have to register all of your sub-domains and www with cacert.org or can you leave it as wildcard? and do you just renew with cacert.org or do you also have to install a renewed certificate as well?

thanks,
brenton

[william_syd]

I've only got the domain magicwilly.info registered with CaCert.

The CSR was probably generated by Slords script, which is in the wiki, so it probably has a wildcard for Subject Alt Names (SAN's).

Oh, until the CaCert root cert is distributed with all browsers/operating systems you wont automatically get rid of the warning, except when using Firefox that comes with Centos distributions.

Note: CentOS has included CAcert.org as a Trusted Certificate Authority in both CentOS 3 and CentOS 4. We wish that other FOSS distributions would do the same, so people could easily get and use free SSL Certificates.