Sure.. but please excuse me as this is the first time posting on this
forum ~ post in plain text or does this system support attached files?
Patrick Patterson wrote:
Hi Chris:
Can you post the certificates in question? My guess is that you don't have the
various extensions set according to the PKIX standards that the Browsers are
expecting.
Thanks.
Patrick.
On 2010-09-22, at 2:57 PM, Chris Rider wrote:
We have a client/server architecture based product that needs to allow SSL
communication between our server (CentOS) and various clients' web browsers
(and additionally, other devices, but that's beyond the scope of this post).
We've been able to get SSL working in both of two different ways (self-signed certificate
& self-signed CA with certificates signed by that) -- so that is not the issue. Rather,
our whole issue is that we don't want the end-users to confronted with a big scary browser
message that says something akin to "There's a Problem With Security! / Allow Exception,
etc." If they must install a certificate or two, that would be acceptable, though. So I
thought that creating my own CA to sign certificates with would be a solution.... apparently
not. I'm now getting browser messages that say the certificate's issuer is not trusted!!!
Very frustrating.
So, as I said, I've created my own CA (using this link as a guide:
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ ), and can sign my own certificates
without problem. I then install the root certificate, followed by a server certificate
signed by that CA. And, while I can click "allow exception" in the browser to
make it all work, that is not the desired way. We just want to be able to have the
end-user install a trusted root certificate and everything just work from there. Testing
in IE and FireFox nets the same big scary warning message, no matter what combination of
fields I use in the CSR, etc.
We really don't want to go with a third party CA like VeriSign, for example --
not so much because of the cost, but we just don't want to deal with updating
countless remote installations of our product whenever the certificate expires.
Not to mention the support that would be associated with doing that! The other
issue is that some/most of these installations do not have outside internet
connectivity with which to query the CA's (for CRL's, or whatever). We really
need to manage our own certificates, all in all.... but without these warning
messages.
Is it possible?
If so, what am I missing?
--
Chris Rider,
Systems Architect
MessageNet Systems
chris.ri...@messagenetsystems.com
______________________________________________________________________ OpenSSL
Project http://www.openssl.org User Support Mailing List
openssl-users@openssl.org Automated List Manager majord...@openssl.org
---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
