[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] self signed certificate warnings
- Subject: Re: [cobalt-security] self signed certificate warnings
- From: Eugene Crosser <crosser@xxxxxxxxxxx>
- Date: Wed, 20 Feb 2002 22:45:32 +0300 (MSK)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On 20 Feb 2002 10:38:16 -0500 Matthew Nuzum <cobalt@xxxxxxxxxxxxx> wrote:
> I've designed an application that collects some personal information, so
> for the short term, I created a self signed "wildcard" certificate.
> It's 128 bit and Netscape and IE handle it just fine. I feel very
> comfortable with the level of security it gives me.
>
> The problem is that browser's visiting the site for the first time get a
> pop-up warning stating that they user has not chosen to trust the
> signing authority, or something along those lines.
>
> IE and NS both state that the security is full strength, that the dates
> are valid and that the domain name matches. They show nice little
> symbols that make users feel pretty comfortable.
>
> While this is fine for most of my clients, I'd like to not have the
> pop-up window appear at all.
>
> I know of ONE way that will take care of this problem definitively, and
> that is to buy a wildcard cert from Thawte. However, they now charge
> per domain, which is extremely limiting to me.
Some CA's (Verisign?) can sell you a CA certificate that
would allow you to sign your sites' certificates, and
still have them recognized as valid by brousers. Of course
this is not cheap.
> I have heard that you can send a special mime-encoded file to newer
> browsers that will allow them to add me to their list of trusted
> authorities. Maybe this is a rumor, or maybe this is a complete
> mis-understanding on my part. It sounds intriguing to me though.
>
> Has anyone tried this? I'd search the Internet, but I'm somewhat at a
> loss for what to even search for.
That's true, browsers can add downloaded CA certificates to
the list of "trusted" CAs (after a confirmation dialogue).
Create a self-signed certificate, and use it as a CA
certificate for signing your web site certificates.
Place this self-signed certificate somewhere in your
document tree, and make Apache show it with Content-Type:
application/x-x509-ca-cert. This can be done, for
example, by giving the file a unique extension, such as
".ca-cert", and placing this directive in httpd.conf:
AddType application/x-x509-ca-cert .ca-cert
Tell your users to point their browsers to this URL if
they want to "trust" your CA.
Example of such setup is here: http://www.average.org/cert/
Important note: you will be much safer if you keep your CA
private key and do the signing process on a computer that
is never connected to any network.
Eugene