RE: invalid certificate
Also, you can have the browser 'install' the certificate from your self-signed system - and it will no longer give you the error. This is only useful if you _know_ the certificate is valid (as in, you are the one who created it). Otherwise, you get into some serious security issues if you just start 'installing' certificates where you don't know the Certifying Authority. -- Robin D. Wilson Director of Web Development KingsIsle Entertainment, Inc. WORK: 512-623-5913 CELL: 512-426-3929 www.KingsIsle.com -Original Message- From: Peter Crowther [mailto:peter.crowt...@melandra.com] Sent: Wednesday, May 06, 2009 6:55 AM To: 'Tomcat Users List' Subject: RE: invalid certificate > From: Melanie Pfefer [mailto:melanie_pfe...@yahoo.co.uk] > So you mean this error cannot be fixed? > All self-signed certificates have this problem when a browser > accesses the page using ssl? If the browser doesn't trust the root certificate that certifies the self-signed cert, it will give at least a warning and in some cases an error. This is a good thing, as otherwise I could create a self-signed certificate that said my web server was https://www.paypal.com, trick your browser into visiting my server, and you wouldn't see a warning. Think of a certificate as being ID for that web server. A certificate signed by a root certificate authority (CA) that's trusted by the browser is like a passport - slow and expensive to get, but almost everybody trusts it as ID. A self-signed certificate is like a letter you've signed as proof of your own identity - fast and cheap to get, but not very good for proving who you are. Is your web application being used on the Internet, or within the company? If it's on the Internet, you really don't have a choice - if you want SSL and no warnings, you'll have to get a certificate signed by a well-known certificate authority, and you'll have to pay the money for that. If it's on your internal network, the alternative is to add your company root CA to the browsers' trust list, then use an internally-generated cert. You still can't use a *self-signed* cert as they're always one-offs, but you can generate one from your company CA if you have it. Clearly if you don't have a company CA, you can't do this! - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: invalid certificate
> From: Melanie Pfefer [mailto:melanie_pfe...@yahoo.co.uk] > So you mean this error cannot be fixed? > All self-signed certificates have this problem when a browser > accesses the page using ssl? If the browser doesn't trust the root certificate that certifies the self-signed cert, it will give at least a warning and in some cases an error. This is a good thing, as otherwise I could create a self-signed certificate that said my web server was https://www.paypal.com, trick your browser into visiting my server, and you wouldn't see a warning. Think of a certificate as being ID for that web server. A certificate signed by a root certificate authority (CA) that's trusted by the browser is like a passport - slow and expensive to get, but almost everybody trusts it as ID. A self-signed certificate is like a letter you've signed as proof of your own identity - fast and cheap to get, but not very good for proving who you are. Is your web application being used on the Internet, or within the company? If it's on the Internet, you really don't have a choice - if you want SSL and no warnings, you'll have to get a certificate signed by a well-known certificate authority, and you'll have to pay the money for that. If it's on your internal network, the alternative is to add your company root CA to the browsers' trust list, then use an internally-generated cert. You still can't use a *self-signed* cert as they're always one-offs, but you can generate one from your company CA if you have it. Clearly if you don't have a company CA, you can't do this! - Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: invalid certificate
Hi Antonio, So you mean this error cannot be fixed? All self-signed certificates have this problem when a browser accesses the page using ssl? thanks --- On Wed, 6/5/09, Antonio Vidal Ferrer wrote: > From: Antonio Vidal Ferrer > Subject: RE: invalid certificate > To: "'Tomcat Users List'" > Date: Wednesday, 6 May, 2009, 1:37 PM > Melanie: > > Your certificate is invalid, as your navigator does not > know the Certificate Authority who issued your server > certificate (In this case, you). It's not related to > expiration dates. You can find nice guides (using openssl > :( ) here: http://www.tc.umn.edu/~brams006/selfsign.html and > here: http://marc.info/?l=tomcat-user&m=106293430225790&w=2 > that can help you to understand the process, and of course > with the problem you are having > > Best, > > Toni > > > > > > -Original Message- > From: Melanie Pfefer [mailto:melanie_pfe...@yahoo.co.uk] > > Sent: miércoles, 06 de mayo de 2009 12:04 > To: users@tomcat.apache.org > Subject: invalid certificate > > > Hi, > > I generated a new certificate according to > http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html > > First step: > keytool -genkey -alias tomcat -keyalg RSA -keystore > /usr/local/tomcat/.keystore > > Second step: > > in servers.xml: > > protocol="org.apache.coyote.http11.Http11Protocol" > port="8443" > minSpareThreads="5" maxSpareThreads="75" > > enableLookups="true" > disableUploadTimeout="true" > > acceptCount="100" maxThreads="200" > > scheme="https" secure="true" > SSLEnabled="true" > > keystoreFile="/usr/local/tomcat/.keystore" > keystorePass="password" > > clientAuth="false" sslProtocol="TLS"/> > > > I am getting an error that the certificate is not valid > when I access the https URL: > > The error message is: uses an invalid security certificate > > > When I list the certificate: > > Valid from: Wed May 06 11:52:13 MEST 2009 until: Tue Aug 04 > 11:52:13 MEST 2009 > > Can you please shed some light on this? > > thanks > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: invalid certificate
Melanie: Your certificate is invalid, as your navigator does not know the Certificate Authority who issued your server certificate (In this case, you). It's not related to expiration dates. You can find nice guides (using openssl :( ) here: http://www.tc.umn.edu/~brams006/selfsign.html and here: http://marc.info/?l=tomcat-user&m=106293430225790&w=2 that can help you to understand the process, and of course with the problem you are having Best, Toni -Original Message- From: Melanie Pfefer [mailto:melanie_pfe...@yahoo.co.uk] Sent: miércoles, 06 de mayo de 2009 12:04 To: users@tomcat.apache.org Subject: invalid certificate Hi, I generated a new certificate according to http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html First step: keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/.keystore Second step: in servers.xml: I am getting an error that the certificate is not valid when I access the https URL: The error message is: uses an invalid security certificate When I list the certificate: Valid from: Wed May 06 11:52:13 MEST 2009 until: Tue Aug 04 11:52:13 MEST 2009 Can you please shed some light on this? thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
invalid certificate
Hi, I generated a new certificate according to http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html First step: keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/local/tomcat/.keystore Second step: in servers.xml: I am getting an error that the certificate is not valid when I access the https URL: The error message is: uses an invalid security certificate When I list the certificate: Valid from: Wed May 06 11:52:13 MEST 2009 until: Tue Aug 04 11:52:13 MEST 2009 Can you please shed some light on this? thanks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org