Also, you can have the browser 'install' the certificate from your self-signed system - and it will no longer give you the error. This is only useful if you _know_ the certificate is valid (as in, you are the one who created it). Otherwise, you get into some serious security issues if you just start 'installing' certificates where you don't know the Certifying Authority.
-- Robin D. Wilson Director of Web Development KingsIsle Entertainment, Inc. WORK: 512-623-5913 CELL: 512-426-3929 www.KingsIsle.com -----Original Message----- From: Peter Crowther [mailto:peter.crowt...@melandra.com] Sent: Wednesday, May 06, 2009 6:55 AM To: 'Tomcat Users List' Subject: RE: invalid certificate > From: Melanie Pfefer [mailto:melanie_pfe...@yahoo.co.uk] > So you mean this error cannot be fixed? > All self-signed certificates have this problem when a browser > accesses the page using ssl? If the browser doesn't trust the root certificate that certifies the self-signed cert, it will give at least a warning and in some cases an error. This is a good thing, as otherwise I could create a self-signed certificate that said my web server was https://www.paypal.com, trick your browser into visiting my server, and you wouldn't see a warning. Think of a certificate as being ID for that web server. A certificate signed by a root certificate authority (CA) that's trusted by the browser is like a passport - slow and expensive to get, but almost everybody trusts it as ID. A self-signed certificate is like a letter you've signed as proof of your own identity - fast and cheap to get, but not very good for proving who you are. Is your web application being used on the Internet, or within the company? If it's on the Internet, you really don't have a choice - if you want SSL and no warnings, you'll have to get a certificate signed by a well-known certificate authority, and you'll have to pay the money for that. If it's on your internal network, the alternative is to add your company root CA to the browsers' trust list, then use an internally-generated cert. You still can't use a *self-signed* cert as they're always one-offs, but you can generate one from your company CA if you have it. Clearly if you don't have a company CA, you can't do this! - Peter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
