hi all,
I have gone through the process of self signing certificates. Aside from the pop-ups about not trusted etc... everything appears to work.
For "internal" applications what do people/places do? It would be nice to be seamless and have the "your not trusted" window pop-up. Yet this is not a public web site either. Just internal use. The server might be on the internet but people from the internet are not using it.
I presume there is no way to by-pass the certificate signing process - even for internal apps. Is there?
Thanks,
Jerry
On Mon, Aug 24, 2009 at 9:32 AM, Jerry Geisgeisj@pagestation.com wrote:
For "internal" applications what do people/places do? It would be nice to be seamless and have the "your not trusted" window pop-up. Yet this is not a public web site either. Just internal use. The server might be on the internet but people from the internet are not using it.
I presume there is no way to by-pass the certificate signing process - even for internal apps. Is there?
Thanks,
Jerry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If you are in a windows domain you can distribute the public certificate of your "signing authority" using active directory. This will prevent IE from showing the untrusted warning. Otherwise you can install the public certificate into the users web browser and any certs you sign will show as trusted.
If you can give an idea of what platform/browser I can provide more specifics.
Brian
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Brian Becker Sent: Monday, August 24, 2009 9:44 To: CentOS mailing list Subject: Re: [CentOS] self signing certificates
On Mon, Aug 24, 2009 at 9:32 AM, Jerry Geisgeisj@pagestation.com wrote:
For "internal" applications what do people/places do?
We follow the design at VeriSign.
We have an offline master RootCA cert this has signed another offline PublicCA
The PublicCA is a machine which takes certificate signing requests (you can make these using openssl, or microsoft stuff, etc) and signs those out.
For development we have a non-public online DevCA that we use to sign test code, etc. This code never is intended to leave our dev lab. If the code is leaving the lab it will have to be singed by our PackageSingingCA(online), which is signed by our PublicCA.
We have out RootCA pushed to all of our servers and workstations. It is also available via http://ca.pdinc.us.
The DevCA is manually installed by each user on each machine that wants it. It also expires every 110 days, and we make a new one every 90 days.
Hope this helps.
It would be nice to be seamless and have the "your not
trusted" window
pop-up. Yet this is not a public web site either. Just internal use. The server might be on the internet but people from the
internet are
not using it.
I presume there is no way to by-pass the certificate
signing process -
even for internal apps. Is there?
Nope.
Thanks,
Jerry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If you are in a windows domain you can distribute the public certificate of your "signing authority" using active directory. This will prevent IE from showing the untrusted warning. Otherwise you can install the public certificate into the users web browser and any certs you sign will show as trusted.
A good source of how to do this on OS/Application X:
http://wiki.cacert.org/wiki/BrowserClients#ImportintoMicrosoftActiveDirector... upPolicyobject
If you can give an idea of what platform/browser I can provide more specifics.
Brian _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
If you are in a windows domain you can distribute the public certificate of your "signing authority" using active directory. This will prevent IE from showing the untrusted warning. Otherwise you can install the public certificate into the users web browser and any certs you sign will show as trusted.
If you can give an idea of what platform/browser I can provide more specifics.
Brian,
Just my linux server and IE or firefox clients. I dont see many people connecting - just unknown of something poping up on a users screen that they dont know what to do about.
No active directory in use.
Jerry
If you are simply using certs for encryption and not for authentication then this practice probably can be safely dispensed with. If you ARE using certs for authentication then this provision is absolutely required.
James,
Correct I am really just using cert or https for encryption not authentication.
But it sounds like it really doesnt matter. They are not seperate things.
Was just trying to find a way so that users that "dont know" what this box is that is poping up wont even see the box. Sounds like there is no way around it - to just use https encryption.
Thanks,
Jerry
Jerry Geis wrote on Mon, 24 Aug 2009 21:23:31 -0400:
Was just trying to find a way so that users that "dont know" what this box is that is poping up wont even see the box. Sounds like there is no way around it - to just use https encryption.
As has been said in this thread and in other threads. IE clients just need to import the CA certificate, then they trust all certificates signed by that root. Firefox can't do this. But you can trust single certs with it.
Kai
Kai Schaetzl wrote:
Jerry Geis wrote on Mon, 24 Aug 2009 21:23:31 -0400:
Was just trying to find a way so that users that "dont know" what this box is that is poping up wont even see the box. Sounds like there is no way around it - to just use https encryption.
As has been said in this thread and in other threads. IE clients just need to import the CA certificate, then they trust all certificates signed by that root. Firefox can't do this. But you can trust single certs with it.
Firefox (the Windows version at least) can import the CA certificate just like IE. It just takes more digging to find the tool.
- Go to Tools --> Options - Select Advanced and then go to the Encryption tab - Click on View Certificates - Go to the Authorities tab - Click the Import button
At Mon, 24 Aug 2009 09:32:00 -0400 CentOS mailing list centos@centos.org wrote:
hi all,
I have gone through the process of self signing certificates. Aside from the pop-ups about not trusted etc... everything appears to work.
For "internal" applications what do people/places do? It would be nice to be seamless and have the "your not trusted" window pop-up. Yet this is not a public web site either. Just internal use. The server might be on the internet but people from the internet are not using it.
I presume there is no way to by-pass the certificate signing process - even for internal apps. Is there?
I think you need to set yourself up as a certificate authority and have the people (clients) on the intranet import your certificate authority (CA) into their browsers and E-Mail clients. Once that it done, you use your certificate authority thing to sign your cert(s). Since you are a "certificate authority" as far as the web browser is concerned, all of the cert(s) you sign with your "certificate authority" are trusted.
(I don't know exactly how to do this, just know what the admins in the UMass CS Dept. set up for internal https and imaps servers.)
Thanks,
Jerry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
one time you talk about applications, one time about web site. It's also not clear what you actually want to achieve. So, what is the exact question/problem?
Kai
----- Original Message ----
From: Jerry Geis geisj@pagestation.com To: CentOS ML centos@centos.org Sent: Monday, 24 August, 2009 14:32:00 Subject: [CentOS] self signing certificates
hi all,
I have gone through the process of self signing certificates. Aside from the pop-ups about not trusted etc... everything appears to work.
For "internal" applications what do people/places do? It would be nice to be seamless and have the "your not trusted" window pop-up. Yet this is not a public web site either. Just internal use. The server might be on the internet but people from the internet are not using it.
I presume there is no way to by-pass the certificate signing process - even for internal apps. Is there?
Thanks,
Jerry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
A trusted certs can be bought for as little as £12 ($19) a year, so for me, its cheaper (in time) and less effort to buy a real certificate and find that everything 'just works'.
http://www.trustico.co.uk/products/rapidssl/cheap-rapidssl-ssl-certificate.p...
No affiliation.
-
Bowie Bailey -
Brian Becker -
Ian Murray -
Jason Pyeron -
Jerry Geis -
Kai Schaetzl -
Robert Heller