Re: My bank has an invalid cert
Hi, On 08/25/2011 11:15 PM, t...@terralogic.net wrote: I know the theory. I'm also a programmer. I just never bothered to install a root cert before. But I do know how to make them. I'll dig around in FireFox and see where it is and how its done. As for the bank. We build it and they break it. Not my fault. TDWaterhouse can be accessed via HTTPs (EV cert). Am I correct in surmising that your bank wants you to install a root cert of their own? From which URL does it ask you to do that? (If that's not what is happening, can you please send me the issuer, serial number and hash value of the cert that you need to validate?) Firefox root certificates are stored in a file certdata.txt in their hg (and EV OIDs are stored directly in the cpp code, I can lookup the hg URLs if you want). I'm not sure where FF puts additional certs, but it will be on the local file system. Likely in PEM or DER, though, so grep won't help. A Google lookup on the moz.dev.security.policy or moz.dev.security.crypto groups might yield the answers, the topic occurs there from time to time. Ralph __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Use this openssl command to obtain the full hierarchy including the root CA. This should be what you need to import the certs into your version of Firefox. openssl s_client -connect webbroker.tdwaterhouse.ca:443 -showcerts If you wish to automate it, you do so via 'certutil' and using the directory that houses your 'cert8.db' file. On 08/25/2011 05:26 PM, t...@terralogic.net wrote: Web broker. Also they seem to have broken their web site in other ways. I just hate it when they figure they should reprogram my browser so I can't right click on a link and open in a new window. I do run multiple monitors and its nice to put a press release on one monitor and another press release on another monitor while having the main window on yet a 3rd monitor. Their mind set seems to be like if you want to use our service then switch your machine to windows... toss out the extra monitors and set the display to 800x600. Well not quite that bad but close. If I have much more trouble with them I'm going to close my accounts. On Thu, Aug 25, 2011 at 05:08:40PM -0400, Crypto Sal wrote: Do you log into 'Web Broker' or 'Easy Web'? On 08/25/2011 04:50 PM, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: My bank has an invalid cert
On Thu, Aug 25, 2011 at 03:39:59PM -0600, t...@terralogic.net wrote: Very good! I can write a little code to do that! The Firefox team already did it for you. In v3.6: Tools | Page Info | Security | View Certificate | Details | Certificate Hierarchy. Select any member of the chain and see details below. Thanx On Thu, Aug 25, 2011 at 05:24:14PM -0400, Crypto Sal wrote: You typically import certs through the Firefox certificate manager found via Edit - Preferences - Adv. - Encryption - View Certificates. It should be self explanatory from here. The only other question that remains is which Root CA. That can only be done by reading the certificate hierarchy that is presented by the bank's server, which it should provide you upon making an s_client connection. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgptNUiPZUJX2.pgp Description: PGP signature
Re: My bank has an invalid cert
On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Wht? Of course I can manipulate my browser's root certificate store. There's a nice bit of UI provided for exactly that purpose. I can install new certificates, remove ones I don't trust, examine all. Of course I can manipulate my OS' trust store. It's just files in /etc. There's no way to keep me out. Better to say: if users canNOT manipulate the root certificate store, then it would be impossible to trust anything. The whole point is *my* trust. (And yours.) -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgp0wNS8oiuaN.pgp Description: PGP signature
Re: My bank has an invalid cert
On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Craig White ~~ craig.wh...@ttiltd.com 1.800.869.6908 ~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Craig White ~~ craig.wh...@ttiltd.com 1.800.869.6908 ~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Generally, you can add certificates by double clicking them and choosing the correct answer (where to store, how much to trust) You can open 'keychain access' on a Macintosh or use Windows MMC to delete certificates. Banks are entirely sensitive to the issue of SSL and Certificates - they have to be. If your computer doesn't automatically trust your bank's certificates, then you either need to fix your computer or get a new bank. The real answer to your problem is this... If you can't trust the root certificates that are part of your OS, then copy everything off the hard drive and re-install a fresh copy of your OS. That is the only way you can trust that your root certificates do what they are supposed to do. Craig On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager
Re: My bank has an invalid cert
On Thu August 25 2011, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. They are the wrong people to ask. Capture the certificate chain being sent by their server, examine it to find what root cert you need, then get that root cert from somewhere else, somewhere you can trust. The entire concept of third party trust is broken when you by-pass the third party. ;-) Mike On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated
Re: My bank has an invalid cert
Do you log into 'Web Broker' or 'Easy Web'? On 08/25/2011 04:50 PM, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
I know the theory. I'm also a programmer. I just never bothered to install a root cert before. But I do know how to make them. I'll dig around in FireFox and see where it is and how its done. As for the bank. We build it and they break it. Not my fault. On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Generally, you can add certificates by double clicking them and choosing the correct answer (where to store, how much to trust) You can open 'keychain access' on a Macintosh or use Windows MMC to delete certificates. Banks are entirely sensitive to the issue of SSL and Certificates - they have to be. If your computer doesn't automatically trust your bank's certificates, then you either need to fix your computer or get a new bank. The real answer to your problem is this... If you can't trust the root certificates that are part of your OS, then copy everything off the hard drive and re-install a fresh copy of your OS. That is the only way you can trust that your root certificates do what they are supposed to do. Craig On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project
Re: My bank has an invalid cert
Good idea. Ya. I know. But what percentage of the computers the bank deals with are filled with malware? On Thu, Aug 25, 2011 at 04:06:02PM -0500, Michael S. Zick wrote: On Thu August 25 2011, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. They are the wrong people to ask. Capture the certificate chain being sent by their server, examine it to find what root cert you need, then get that root cert from somewhere else, somewhere you can trust. The entire concept of third party trust is broken when you by-pass the third party. ;-) Mike On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users
Re: My bank has an invalid cert
On Thu August 25 2011, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. My Debian V-5 system browsers report: Certificate signing authority is unknown or invalid. My Debian V-6 system browsers considers the chain valid. Translation: Update your OS installation. Mike On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
You typically import certs through the Firefox certificate manager found via Edit - Preferences - Adv. - Encryption - View Certificates. It should be self explanatory from here. The only other question that remains is which Root CA. That can only be done by reading the certificate hierarchy that is presented by the bank's server, which it should provide you upon making an s_client connection. On 08/25/2011 05:15 PM, t...@terralogic.net wrote: I know the theory. I'm also a programmer. I just never bothered to install a root cert before. But I do know how to make them. I'll dig around in FireFox and see where it is and how its done. As for the bank. We build it and they break it. Not my fault. On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Generally, you can add certificates by double clicking them and choosing the correct answer (where to store, how much to trust) You can open 'keychain access' on a Macintosh or use Windows MMC to delete certificates. Banks are entirely sensitive to the issue of SSL and Certificates - they have to be. If your computer doesn't automatically trust your bank's certificates, then you either need to fix your computer or get a new bank. The real answer to your problem is this... If you can't trust the root certificates that are part of your OS, then copy everything off the hard drive and re-install a fresh copy of your OS. That is the only way you can trust that your root certificates do what they are supposed to do. Craig On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http
Re: My bank has an invalid cert
Web broker. Also they seem to have broken their web site in other ways. I just hate it when they figure they should reprogram my browser so I can't right click on a link and open in a new window. I do run multiple monitors and its nice to put a press release on one monitor and another press release on another monitor while having the main window on yet a 3rd monitor. Their mind set seems to be like if you want to use our service then switch your machine to windows... toss out the extra monitors and set the display to 800x600. Well not quite that bad but close. If I have much more trouble with them I'm going to close my accounts. On Thu, Aug 25, 2011 at 05:08:40PM -0400, Crypto Sal wrote: Do you log into 'Web Broker' or 'Easy Web'? On 08/25/2011 04:50 PM, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http
Re: My bank has an invalid cert
Very good! I can write a little code to do that! Thanx On Thu, Aug 25, 2011 at 05:24:14PM -0400, Crypto Sal wrote: You typically import certs through the Firefox certificate manager found via Edit - Preferences - Adv. - Encryption - View Certificates. It should be self explanatory from here. The only other question that remains is which Root CA. That can only be done by reading the certificate hierarchy that is presented by the bank's server, which it should provide you upon making an s_client connection. On 08/25/2011 05:15 PM, t...@terralogic.net wrote: I know the theory. I'm also a programmer. I just never bothered to install a root cert before. But I do know how to make them. I'll dig around in FireFox and see where it is and how its done. As for the bank. We build it and they break it. Not my fault. On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Generally, you can add certificates by double clicking them and choosing the correct answer (where to store, how much to trust) You can open 'keychain access' on a Macintosh or use Windows MMC to delete certificates. Banks are entirely sensitive to the issue of SSL and Certificates - they have to be. If your computer doesn't automatically trust your bank's certificates, then you either need to fix your computer or get a new bank. The real answer to your problem is this... If you can't trust the root certificates that are part of your OS, then copy everything off the hard drive and re-install a fresh copy of your OS. That is the only way you can trust that your root certificates do what they are supposed to do. Craig On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project
My bank has an invalid cert
I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. On Wed, Aug 24, 2011 at 05:22:26PM -0400, Eduardo Navarro wrote: You need to have your Root CA certificate (the one used to issue the intermmediate CAs and the HTTP cert) to be added to the Trusted Root Certificates store. Firefox manages this separately, same as Apple. Apple needs to add the CA to the Keychain as a trusted root. Firefox, you need to add it to the Security Settings (don't remember exact name of menu/tab) -Eduardo -Original Message- From: Craig White Sent: Wednesday, August 24, 2011 4:54 PM To: openssl-users@openssl.org Subject: being my own ca I've been at this for too many hours and too many web pages and I'm so close... I think I could use a little help over the final obstacle. I'm trying to be my own CA and what I want to accomplish is to be able to sign web server certificates that are automatically accepted by our LAN users if they have the CA certificate installed. My CA certificate verifies fine... root@ubuntu:/etc/ssl# openssl verify cacert.pem cacert.pem: OK My host web server certificate (generated with the key removed) verifies fine... root@ubuntu:/etc/ssl# openssl verify ubuntu/http.pem ubuntu/http.pem: OK I signed all the certificates that I generated with the CA key file that was used for the CA certificate. and If I load either the DER or the PEM version of my self-signed CA into Firefox or Apple's Keychain access, I would expect that it should just be accepted (but it's not). Of course users can choose to 'accept' but I'm looking to get past that. If someone can help me get over the hurdle, I would appreciate it. The code I use to generate the web cert is... openssl req -new -nodes \ -out $CERTPATH/http.csr \ -keyout $CERTPATH/http.key \ -days 3650 \ -config $CONFIG openssl ca \ -config $CONFIG \ -policy policy_anything \ -out $CERTPATH/http.pem \ -infiles $CERTPATH/http.csr TIA -- Craig White ~~ craig.wh...@ttiltd.com 1.800.869.6908 ~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org