RE: invalid certificate
Melanie: Your certificate is invalid, as your navigator does not know the Certificate Authority who issued your server certificate (In this case, you). It's not related to expiration dates. You can find nice guides (using openssl :( ) here: http://www.tc.umn.edu/~brams006/selfsign.html and here: http://marc.info/?l=tomcat-userm=106293430225790w=2 that can help you to understand the process, and of course with the problem you are having Best, Toni -Original Message- From: Melanie Pfefer [mailto:melanie_pfe...@yahoo.co.uk] Sent: miércoles, 06 de mayo de 2009 12:04 To: users@tomcat.apache.org Subject: invalid certificate Hi, I generated a new certificate according to http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html First step: keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/.keystore Second step: in servers.xml: Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 minSpareThreads=5 maxSpareThreads=75 enableLookups=true disableUploadTimeout=true acceptCount=100 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=/usr/local/tomcat/.keystore keystorePass=password clientAuth=false sslProtocol=TLS/ I am getting an error that the certificate is not valid when I access the https URL: The error message is: uses an invalid security certificate When I list the certificate: Valid from: Wed May 06 11:52:13 MEST 2009 until: Tue Aug 04 11:52:13 MEST 2009 Can you please shed some light on this? thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: invalid certificate
Hi Antonio, So you mean this error cannot be fixed? All self-signed certificates have this problem when a browser accesses the page using ssl? thanks --- On Wed, 6/5/09, Antonio Vidal Ferrer antonio.vi...@globalia-sistemas.com wrote: From: Antonio Vidal Ferrer antonio.vi...@globalia-sistemas.com Subject: RE: invalid certificate To: 'Tomcat Users List' users@tomcat.apache.org Date: Wednesday, 6 May, 2009, 1:37 PM Melanie: Your certificate is invalid, as your navigator does not know the Certificate Authority who issued your server certificate (In this case, you). It's not related to expiration dates. You can find nice guides (using openssl :( ) here: http://www.tc.umn.edu/~brams006/selfsign.html and here: http://marc.info/?l=tomcat-userm=106293430225790w=2 that can help you to understand the process, and of course with the problem you are having Best, Toni -Original Message- From: Melanie Pfefer [mailto:melanie_pfe...@yahoo.co.uk] Sent: miércoles, 06 de mayo de 2009 12:04 To: users@tomcat.apache.org Subject: invalid certificate Hi, I generated a new certificate according to http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html First step: keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/.keystore Second step: in servers.xml: Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 minSpareThreads=5 maxSpareThreads=75 enableLookups=true disableUploadTimeout=true acceptCount=100 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=/usr/local/tomcat/.keystore keystorePass=password clientAuth=false sslProtocol=TLS/ I am getting an error that the certificate is not valid when I access the https URL: The error message is: uses an invalid security certificate When I list the certificate: Valid from: Wed May 06 11:52:13 MEST 2009 until: Tue Aug 04 11:52:13 MEST 2009 Can you please shed some light on this? thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: invalid certificate
From: Melanie Pfefer [mailto:melanie_pfe...@yahoo.co.uk] So you mean this error cannot be fixed? All self-signed certificates have this problem when a browser accesses the page using ssl? If the browser doesn't trust the root certificate that certifies the self-signed cert, it will give at least a warning and in some cases an error. This is a good thing, as otherwise I could create a self-signed certificate that said my web server was https://www.paypal.com, trick your browser into visiting my server, and you wouldn't see a warning. Think of a certificate as being ID for that web server. A certificate signed by a root certificate authority (CA) that's trusted by the browser is like a passport - slow and expensive to get, but almost everybody trusts it as ID. A self-signed certificate is like a letter you've signed as proof of your own identity - fast and cheap to get, but not very good for proving who you are. Is your web application being used on the Internet, or within the company? If it's on the Internet, you really don't have a choice - if you want SSL and no warnings, you'll have to get a certificate signed by a well-known certificate authority, and you'll have to pay the money for that. If it's on your internal network, the alternative is to add your company root CA to the browsers' trust list, then use an internally-generated cert. You still can't use a *self-signed* cert as they're always one-offs, but you can generate one from your company CA if you have it. Clearly if you don't have a company CA, you can't do this! - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: invalid certificate
Also, you can have the browser 'install' the certificate from your self-signed system - and it will no longer give you the error. This is only useful if you _know_ the certificate is valid (as in, you are the one who created it). Otherwise, you get into some serious security issues if you just start 'installing' certificates where you don't know the Certifying Authority. -- Robin D. Wilson Director of Web Development KingsIsle Entertainment, Inc. WORK: 512-623-5913 CELL: 512-426-3929 www.KingsIsle.com -Original Message- From: Peter Crowther [mailto:peter.crowt...@melandra.com] Sent: Wednesday, May 06, 2009 6:55 AM To: 'Tomcat Users List' Subject: RE: invalid certificate From: Melanie Pfefer [mailto:melanie_pfe...@yahoo.co.uk] So you mean this error cannot be fixed? All self-signed certificates have this problem when a browser accesses the page using ssl? If the browser doesn't trust the root certificate that certifies the self-signed cert, it will give at least a warning and in some cases an error. This is a good thing, as otherwise I could create a self-signed certificate that said my web server was https://www.paypal.com, trick your browser into visiting my server, and you wouldn't see a warning. Think of a certificate as being ID for that web server. A certificate signed by a root certificate authority (CA) that's trusted by the browser is like a passport - slow and expensive to get, but almost everybody trusts it as ID. A self-signed certificate is like a letter you've signed as proof of your own identity - fast and cheap to get, but not very good for proving who you are. Is your web application being used on the Internet, or within the company? If it's on the Internet, you really don't have a choice - if you want SSL and no warnings, you'll have to get a certificate signed by a well-known certificate authority, and you'll have to pay the money for that. If it's on your internal network, the alternative is to add your company root CA to the browsers' trust list, then use an internally-generated cert. You still can't use a *self-signed* cert as they're always one-offs, but you can generate one from your company CA if you have it. Clearly if you don't have a company CA, you can't do this! - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org