[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] self signed certificate warnings

Subject: Re: [cobalt-security] self signed certificate warnings
From: Eugene Crosser <crosser@xxxxxxxxxxx>
Date: Wed, 20 Feb 2002 22:45:32 +0300 (MSK)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On 20 Feb 2002 10:38:16 -0500 Matthew Nuzum <cobalt@xxxxxxxxxxxxx> wrote:

> I've designed an application that collects some personal information, so
> for the short term, I created a self signed "wildcard" certificate. 
> It's 128 bit and Netscape and IE handle it just fine.  I feel very
> comfortable with the level of security it gives me.
> 
> The problem is that browser's visiting the site for the first time get a
> pop-up warning stating that they user has not chosen to trust the
> signing authority, or something along those lines.
> 
> IE and NS both state that the security is full strength, that the dates
> are valid and that the domain name matches.  They show nice little
> symbols that make users feel pretty comfortable.
> 
> While this is fine for most of my clients, I'd like to not have the
> pop-up window appear at all.
> 
> I know of ONE way that will take care of this problem definitively, and
> that is to buy a wildcard cert from Thawte.  However, they now charge
> per domain, which is extremely limiting to me.

Some CA's (Verisign?) can sell you a CA certificate that
would allow you to sign your sites' certificates, and
still have them recognized as valid by brousers.  Of course
this is not cheap.

> I have heard that you can send a special mime-encoded file to newer
> browsers that will allow them to add me to their list of trusted
> authorities.  Maybe this is a rumor, or maybe this is a complete
> mis-understanding on my part.  It sounds intriguing to me though.
> 
> Has anyone tried this?  I'd search the Internet, but I'm somewhat at a
> loss for what to even search for.

That's true, browsers can add downloaded CA certificates to
the list of "trusted" CAs (after a confirmation dialogue).

Create a self-signed certificate, and use it as a CA
certificate for signing your web site certificates.
Place this self-signed certificate somewhere in your
document tree, and make Apache show it with Content-Type:
application/x-x509-ca-cert.  This can be done, for
example, by giving the file a unique extension, such as
".ca-cert", and placing this directive in httpd.conf:

    AddType application/x-x509-ca-cert .ca-cert

Tell your users to point their browsers to this URL if
they want to "trust" your CA.

Example of such setup is here: http://www.average.org/cert/

Important note: you will be much safer if you keep your CA
private key and do the signing process on a computer that
is never connected to any network.

Eugene

Follow-Ups:
- Re: [cobalt-security] self signed certificate warnings
  - From: Jeff Lasman

References:
- [cobalt-security] self signed certificate warnings
  - From: Matthew Nuzum

Prev by Date: Re: [cobalt-security] self signed certificate warnings
Next by Date: Re: [cobalt-security] self signed certificate warnings
Previous by thread: Re: [cobalt-security] self signed certificate warnings
Next by thread: Re: [cobalt-security] self signed certificate warnings

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index