On 09/22/10 11:57 AM, Chris Rider wrote:
We have a client/server architecture based product that needs to allow
SSL communication between our server (CentOS) and various clients' web
browsers (and additionally, other devices, but that's beyond the scope
of this post).
We've been able to get SSL working in both of two different ways
(self-signed certificate & self-signed CA with certificates signed by
that) -- so that is not the issue. Rather, our whole issue is that we
don't want the end-users to confronted with a big scary browser
message that says something akin to "There's a Problem With Security!
/ Allow Exception, etc." If they must install a certificate or two,
that would be acceptable, though. So I thought that creating my own CA
to sign certificates with would be a solution.... apparently not. I'm
now getting browser messages that say the certificate's issuer is not
trusted!!! Very frustrating.
take your selfsigned CA public certificate, name it something.cer, and
place it on a web server, making sure the webserver understands that
.cer is mime type application/x-x509-ca-cert
give your clients the link to that .CER ... they have to accept it and
add it to their trusted root certificate storage, the specifics of doing
this vary by web browser (current versions of MSIE have made this harder
than it should be)
once that .cer is installed in the browsers trusted root authorities,
then anything signed by that CA will be accepted.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
