Topic: install certificate following HOWTO

[BlueLake]

I have followed the instructions (and searched forums for answers) using the HOWTO by Dietmar Berteld on installing a certificate. On the line /etc/e-smith/templates-custom/home/e-smith/ssl.crt I get line 25 syntax error near unexpected token '(' removing this and its companion and repeating the process I then get a line 37 syntax error 'C' ....there may be others but this is as far as I dare go. Have I missed a command out somewhere!!. There is no mention of anything above this. or do I need to add something to the /etc/e-smith....line???

[CharlieBrady]

I have followed the instructions (and searched forums for answers) using the HOWTO by Dietmar Berteld on installing a certificate.

What is the URL of that howto?

On the line /etc/e-smith/templates-custom/home/e-smith/ssl.crt I get line 25 syntax error near unexpected token '(' removing this and its companion and repeating the process I then get a line 37 syntax error 'C' ....

You don't need any custom templates to deploy a third party SSL certificate. I

[CharlieBrady]

What is the URL of that howto?

I guess you mean:

http://wiki.contribs.org/Certificate

You don't need any custom templates to deploy a third party SSL certificate. I

See the section headed "Custom Certificate for SME 7.1.3 and above". That's all you need to do (delete your custom template). The rest of the HOWTO should just be deleted - it's obsolete (7.1.3 was a long time ago now).

[BlueLake]

Hi

I guess you mean the following HOWTO http://wiki.contribs.org/Custom_CA_Certificate which looks extreemly complicated...!

[BlueLake]

Hi again

Yes! I see the section you refered to...so thats all I need to do? those five lines of commands after deleting the the last HOWTO.

[Laager]

I have followed the instructions (and searched forums for answers) using the HOWTO by Dietmar Berteld on installing a certificate. On the line /etc/e-smith/templates-custom/home/e-smith/ssl.crt I get line 25 syntax error near unexpected token '(' removing this and its companion and repeating the process I then get a line 37 syntax error 'C' ....there may be others but this is as far as I dare go. Have I missed a command out somewhere!!. There is no mention of anything above this. or do I need to add something to the /etc/e-smith....line???

Have a look at what I did:

http://forums.contribs.org/index.php/topic,44321.0.html

[BlueLake]

Hi Laager and thanks for the reply...

I guess what I am really after is the padlock icon when someone goes to a secure site. I am setting up an ecommerce web site for my wifes business (bed and breakfast) and need to assure customers the site is valid, for obvious reasons. But from what I have read in this forum and via Google pages I think its going to cost money. I did read your post and it seems you had a similar problem. Would signing my own certificate count as secure. Surely every SCAM site does this? - hence the cost involved in bona-fida certificates. If there is a solution (without to much cost involved) I would love to know it.

[piran]

Your SME is secure and a self-signed certificate is 'OK'.
Glibly: to be perceived as 'secure' your average visitor's
browser has be assured by an apparently trustworthy
path of apparently authorised signatories. The latter
can only be deemed thus by, for instance, topping up
M$ coffers, Yes, that secure trust can be purchased...
These people then charge out that implied trust by
letting you use their virtual key, the one that M$
now includes in its trust path not because they
are particularly trustworthy but because M$ has
been paid;~) So, trust is what you make of it and
usually this costs. Any other path always results in
an inferior 'customer experience' ie they are forced
to see really off-putting messages or having to
apparently 'trust' blindly. It's a can of worms that
is tightly controlled by finances. If you want in then
you have to cough up. If you don't then you have
to accept that your customers will see quite scary
messages. The 'trust' isn't trust, it just means
you can afford the ante to be perceived thus.
Only way around the cartel is for, somehow, an
Open Source type of trust authority to make first
base and beyond with the fee-accepting majors...
It might happen. Then again it might not.
OTOH would you 'trust' a free certificate;~)

[BlueLake]

Yes I take your point. Having made a quiet a good living as a programmer for Microsoft I do not feel I want to give it all back. There must be a good gap in the market for a "Trusted" open source certificate.

[piran]

Yes I take your point. ... There must be a good gap in the market for a "Trusted" open source certificate.

...but when. And I can't see it happening for B&B's
and other small businesses like a lot of us represent;~/

[janet]

BlueLake

There must be a good gap in the market for a "Trusted" open source certificate.
[/quote]

http://wiki.contribs.org/Custom_CA_Certificate

[cactus]

There must be a good gap in the market for a "Trusted" open source certificate.

There is... and it is long since been filled, have a look at http://www.cacert.org/.

[piran]

There is... and it is long since been filled, have a look at http://www.cacert.org/.

Not filled. No more than partially addressed.
Last time I looked into their offering I couldn't get more
than 6mths, was physically located absolutely nowhere
near anybody with any transferable trust, still had to
explain to my mystified customers why they were being
'forced' to accept a root trust (beforehand) and still had
scary messages with which to contend. It still costs to
get transparent 'trust', the sort everyone expects
nowadays in commercial/ecommerce situations.
Then there's the knotty issue of only one cert per SME
with respect to (open or commercial) certs. And Cacert
had great trouble with servername.mydomain.com and
plain old mydomain.com that was preferable for the site.
So "filled"... no, not yet.

[PostEdit: amended 'SSL' to 'cert']

[BlueLake]

Well said Cactus...so what would it take to establish a recognised authority that could guarantee a certificate for small business. This is the market gap, and one that could represent a big percentage of the people who actually need the padlock symbol on their sites without having to take out a second mortgauge to the large corporations that dictate how we should all behave on the web. Surely this could be overcome with some very serious thought and some dedicated proffesionals....You have my attention.

[CharlieBrady]

so what would it take to establish a recognised authority that could guarantee a certificate for small business.

A hell of a lot of market clout. So lots of time and money. I don't think anyone here is going to get that task done.

[BlueLake]

Yes I agree there would be some mountain to climb but the view from the top would be fantastic. This also seems to be one of the biggest issues with a lot of SME users judging by the amount of text used on this forum and others. On my original search for info on this subject it seemed like nearly everyone had an issue with certificates and Microsoft/Firefox/Chrome etc...because of the message displayed before proceeding to the web site. Large corporations (which are a small percentage compared to the massive amounts of small business which are by far are the biggest percentage) are denying business opportunities to the smaller one man bands on a cost basis. With all the scare stories of scams and computer fraud the message page set up by Microsoft and Firefox (only two I use) scare of potential customers. So unless this issue is confronted they will continue to dominate the market place as long as they are allowed to by the smaller business community. Perhaps it is the message that needs to be toned down or perhaps this issue could be raised with some governing body. If the will is there and judging by the correspondence it is, then something should be put into motion.

[cactus]

IIRC certificates aren't that expensive... building a proper web of trust however is, that is why you need to pay some as well. It is not that easy to be a certificate authority. I think you are considering this too lightly. There are two ways to do this one, way is the certificate authority the other way is the web of trust (like CACert does), if we have multiple smaller webs of trust you do not have a very high certificate security in such a case. You need a web of trust that is as large as you can get and diverse as you can get...

[janet]

BlueLake

Piran is correct re issues with validity period of cacert certificates.
If you can locate a "real person" in your area and physically meet up with them, then you can have a cacert certificate issued for 2 years rather than 6 months (the default "effort free" validity period). Visitors to your website still need to install the CACERT root certificate available from the cacert website. So you could say there is still some effort required to get trust when using free cacert certificates. Trust has a price. Read more about it on the cacert website.

Certificate authorities need to pay tens of thousands of dollars to the browser publishers to be included in the root certificate. Cacert is the organisation currently attempting to achieve what you are asking for.

There are a number of lower cost commercial certificate offerings around that I believe are trusted by browsers (eg the Microsoft issued default root certificates installed in browsers).
Search Google for cheap offerings, take a look at GoDaddy.

Note that the root certificate issued by Microsoft & others needs to be updated every few years (which happens automatically with a browser update). There is a cost to browser publishers to maintain & update root certificates, so I guess it's reasonable to expect there to be a cost to the end user.

I think you can get an acceptable certificate for a few hundred dollars per year rather than paying thousands of dollars for a "big name" certificate. Most small businesses could afford the lesser amount, it's in effect a necessary cost to do secure online business.