Self-signed CA problem for internal web application

Wed, 22 Sep 2010 12:34:09 -0700

We have a client/server architecture based product that needs to allow SSL communication between our server (CentOS) and various clients' web browsers (and additionally, other devices, but that's beyond the scope of this post).
We've been able to get SSL working in both of two different ways (self-signed certificate & self-signed CA with certificates signed by that) -- so that is not the issue. Rather, our whole issue is that we don't want the end-users to confronted with a big scary browser message that says something akin to "There's a Problem With Security! / Allow Exception, etc." If they must install a certificate or two, that would be acceptable, though. So I thought that creating my own CA to sign certificates with would be a solution.... apparently not. I'm now getting browser messages that say the certificate's issuer is not trusted!!! Very frustrating. 


So, as I said, I've created my own CA (using this link as a guide: 
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ ), and can sign my own 
certificates without problem. I then install the root certificate, 
followed by a server certificate signed by that CA. And, while I can 
click "allow exception" in the browser to make it all work, that is not 
the desired way. We just want to be able to have the end-user install a 
trusted root certificate and everything just work from there. Testing in 
IE and FireFox nets the same big scary warning message, no matter what 
combination of fields I use in the CSR, etc.



We really don't want to go with a third party CA like VeriSign, for 
example -- not so much because of the cost, but we just don't want to 
deal with updating countless remote installations of our product 
whenever the certificate expires. Not to mention the support that would 
be associated with doing that! The other issue is that some/most of 
these installations do not have outside internet connectivity with which 
to query the CA's (for CRL's, or whatever). We really need to manage our 
own certificates, all in all.... but without these warning messages.


Is it possible?
If so, what am I missing?

--
Chris Rider,
Systems Architect
MessageNet Systems
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org






















					Reply via email to