[olug] which digital certificate authority?

Tim - DZ iceburn at dangerzone.com
Mon Sep 29 21:04:55 UTC 2003


In IE  
    internet options -> content  ->  certificats -> 'trusted'
   or
    browse to the page and click on 'view cert' then 'install cert'

In mozilla (firebird on this computer)
    just browse to the site and 'accept certificate permenately'

    I don't think you add certs 'manually' through the GUI but wouldn't
be surprised if you can just drop them in the right directory.


I remember watching somebody set one up with some open source package at
a conference (may very well have been mod_ssl as brian mentioned
earlier), pretty easy, only took a few minutes.  Similarly the
Certificat Authority that comes with Win2k server is dead easy to
install and use via web pages (it does sit on IIS / local hard disk /
etc /etc so be careful what computer you install it on).  Either way
should yeild a cert pretty fast as long as you are familiar with how PKI
works.  If you don't know anything about PKI, then buying a vert from a
3rd party isn't going to save a whole lot of time anyway, because you're
still going to have to figure out how to use it.  

The theoretical advantaged to going to somebody like verisign is that
they are a trusted third party that will never be hacked and safely
stores all certs, etc, etc.  The REAL advantage to using somebody like
verisign is typical users don't give a flip where the cert is generated
and don't care if they can save it on their PC...so that little box pops
up saying "this cert is from an untrusted CA do you want to proceed?"
some users will freak out at the work untrusted, assume they're being
hacked and stop right there, others will not understand and not care and
click 'yes' but be annoyed because it pops up every time they visit the
site, the remaining 1/2 percent might check the cert, verify the server
name and add it to their trusted list....

-t



-----Original Message-----
From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of
Sam Tetherow
Sent: Monday, September 29, 2003 3:44 PM
To: Omaha Linux User Group
Subject: Re: [olug] which digital certificate authority?


it's not the server.crt you want to make available it is the CA.crt.  It

adds that cert to the trusted cert list so any cert signed by it is 
considered trusted.  If you are only dealing with the single www cert 
yes you can just het trust forever.  If you have several certs it is 
alot easier to just add the CA cert instead of each one individually.

Brian Wiese wrote:
> On Mon, 29 Sep 2003 11:17:10 -0500
> Sam Tetherow <tetherow at nicusa.com> wrote:
> 
> |if you don't want to spend the afternoon to figure out how to do a 
> |self
> |signed cert for internal stuff then I think the $49/year wouldn't be 
> |that unreasonable.  But really it doesn't take much to do it, check
the 
> |mod_ssl FAQ for the quick and dirty how to ( 
> |http://www.modssl.org/docs/2.8/ssl_faq.html#ToC27 )
> 
> There's also a script that comes with mod_ssl, "mod-ssl-makecert.sh" 
> which will take you though all the prompts and generate the CA and the

> self signed cert for you.  I found that pretty handy, though I did 
> spend at least a couple hours playing with it to understand it a 
> little better. Getting a cert, and understanding the whole process may

> take you from 20mins to an afternoon.. but I'm sure Neal understands 
> this whole csr, crt, crl, key stuff is.
> 
> as for...
> 
> |All you need to do is load the signing cert into the browser's list 
> |of
> |acceptable CAs to get rid of this message.  Under Netscape/Mozilla
all 
> |you need to do is view the .crt file with the browser.  I don't 
> |remember, but I'm pretty sure it atleast asks for confirmation.
> |
> |To get it loaded under IE (included for compeleteness) you save the 
> |.crt
> |to disk, then open the file and it should launch the certificate
wizard.
> 
> Do I need to just make the "server.crt" file available for download 
> for the clients to install this, or can they usually just say "trust 
> forever" (not an option in IE?) this cert when the window pops up on 
> the first time visiting the site?
> 
>  Brian Wiese | bwiese(at)cotse.com | aim: unolinuxguru
> -------------------------------------------------------
>   GnuPG/PGP key 0x2FD6AF16 | "FREEDOM!" - Braveheart
> ------------------------------------------------------- 
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.fsf.org/philosophy/no-word-attachments.html
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
> 


-- 
------------------------------------------------------------------------
Sam Tetherow                           tetherow at nicusa.com
Director of Development
NIC Labs (PSSG)                        http://www.nicusa.com

_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug



More information about the OLUG mailing list