Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: CA and edir certificates

1 view
Skip to first unread message

a...@novell.com

unread,
Dec 14, 2009, 2:17:45 PM12/14/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There are, to my knowledge, two ways to make an SSL client automatically
approve of an SSL server's certificate, and I'll divide it into three
ways. The first way current versions of Firefox support by just approving
of the certificate once.

1. Acknowledge the nastygram about the certificate not being trusted, go
to the page anyway, view the certificate, leave 'Permanently trust...'
checked and then accept/save/whatever it and that's it. You now have
explicitly trusted this certificate for your user in Firefox so going back
you should not get an error/warning about it.

2a. Import and trust the trusted root certificate of your certificate.
When a certificate is created its private key is chained to a root
certificate. If the root certificate that is chained is trusted by the
clientthen when the key is retrieved by the client (browser, Firefox) it
sees that the certificate is chained to the trusted root certificate and
allows it to be used. This is how the entire Public Key Infrastructure
setup works for third-party certificates, so as long as you import the (as
I recall) Self-Signed certificate from your CA then any certificates from
that CA will be trusted. This assumes that all of the clients you are
using are being offered certificates from this CA.

2b. Similar to above, use a certificate chained back to a CA which is
already trusted (Digicert, RapidSSL, Geotrust, Thawte, Verisign, etc.).
As the browser comes with these trusted it avoids that prompt.

Good luck.

tersteew wrote:
> Sorry if I get the terminology wrong, but encryption is still mysterious
> to me.
>
> We have a good sized edir tree and all of the servers seem to have the
> certs signed by the CA of the tree. I wanted to import the main cert
> into firefox and IE so that when I go to the servers ssl enabled pages
> (like NRM) I don't get the, this certificate is bad blah blah blah
> message. I tried exporting the main cert from the security container
> (der file) and imported into firefox and IE, but I still get warning
> messages every time I connect to any of the tree servers. Firefox
> throws this message:
>
> "The certificate is not trusted because the issuer certificate is
> unknown."
>
> That sounds like it is not finding the root ca that I imported or it is
> wrong. The only weird thing I can see is, in firefox, the Issued To
> section shows the server's name (which is right) but the organization is
> in lower case. In the Issued By, the organization is in upper case.
> Don't know if that matters, or how to correct either.
>
> --Eric
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLJo9ZAAoJEF+XTK08PnB5MeUQAKctXRGrIv2hSLFxWDYDFTZY
MxCIaXR907kB7kwoh2I2XEL17cBrLYm5QUlLUVyuRzmvHqT08ufQ9QFdWFEitLwn
3C3UVnKm0RVsfSn+yJKnNL/HEf5GQKZCmb5cxx7fXUbFxm+GUsTTY0Jyl/gInY8r
BUH6DrNlG+Jtv/XBeRbMp74rnS97LBXxKY7nY5z6nBNIY0ryFg3YMmJViycj018a
uAe1k+wWMBZIvWXm8lSNEIShnctJZnYVphfkuRY6HaSAyimHJlz/Rfbs6nSxg+8A
Kani+K5AwGFdo5kpKPoCRQF5HNZljWUKoh4A1HOQ0TMmbvDhlj8Rzp9tKd/DX2jw
m/MVOSbn5obhen3JCcbaeyWh8PuZRtvH/vTpqlML1tWHZ8SL6GG9zQBVwcREi8a9
rWFVcGAOM2A+DskBI7fn0s+oGs8EV6tyqF0zzhElRotFGp5VV1kDWBxtHecoi6m8
WCPzSo/MNinu5L77F4grLByk7+Y4UZeavEkjGiUL7Up5yNuoJOGtJ8zqlSncc0nH
pEjHO0nq5jdp19DUagOwajAS9jJxghJSmGIpH+10/PBcwaJPtifAKgH+kbr8ZA8w
YGGvuQepb8oDhqf6Xmt5M+RWiF06sVwrkb/sfkzEB3CozVSGLaoLtXCwn5SZSqPm
0B7qQO3Rx6QeyODrpsgr
=7Fbj
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Dec 14, 2009, 3:08:30 PM12/14/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Check your actual error message too... it will tell you what is wrong. If
you are going to https://1.2.3.4:8030/nds and your certificate is for
https://yourbox.yourdomain.tld:8030/nds you will still get an error.

Good luck.

tersteew wrote:
> I am trying to do #2. When servers are created in the eDir structure
> (OES2 netware/ Linux) it looks like they get a certificate that is
> signed by the CA at the security container with the name of the tree
> (root certificate). I exported this certificate and imported it into
> firefox (root certificate). When I visit an edir server via SSL, that
> should be signed by that cert, it is still throwing that error in
> firefox.
>
> So I guess my problem is more of what broke. How do I check I have the
> right root certificate or how do I know if the server is actually signed
> by said certificate.


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLJps+AAoJEF+XTK08PnB58AIQANRKGnN2CoTBZJhdQ7XI8C2M
TqqFJU/rHmd6XI3yit8ANqB70L2x6ZKU/Y/43B89GOvbEL6jIAV+QMJaoFgHjP09
F7yVoh/ITTdynbuHUkrrugS4ec3bDDEgbpEsUbYs2ND0o7eI//CrfTdFKLPYLSzT
ETVx8k7JaXlTbXSsfkAI5+i1kXJpw2UYX2db+AkoiKAl+/g5CMWNmcHVHOqIvwS8
Xcsn+GKOLLABX0h28zQzo6U+gkW8EYSlx4U0uXsk0Pp0ySXuaK0o6lA0EXsI/0s9
vv4E9Af5YXLxdwZUhGms/kH0Mges0s0B/UeSrxELbibSts2ClNCV29xb4dfg4Sxz
lzGGwThqxxKpBdh1Td2ocNYQT4LVn5++E3rVKqQDsTG1ydocfUXFveTfx9v/pAhQ
xYjrbzMNf7sOnJfYKRE6DZUbRP8cCjWMoG2VOSfROyt0DbAKLnHsylDNTVXg1Oqm
HmhDiS6S0UeTOIlPbeS5z1TaXRbxvX36GYK/cXu7WJep0ws1Qu1EMiH8S52RVefq
knGzmw0uqLA5MWEMoAECyilSqH5p/vRrlsm4dq36sg8fGtD3e/5W6UxmR60F++19
lU26NMcxQ+zC4K9XLXLiLHedLquTp61uFIY929S1erV4wQxaOHMtElrgemK5KzsW
2s89jCvwgVEuVTb63PD3
=Cvdo
-----END PGP SIGNATURE-----

a...@novell.com

unread,
Dec 14, 2009, 6:03:55 PM12/14/09
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, the various tabs can be confusing. Thank-you for posting back your
results.

Good luck.

tersteew wrote:
> Well, fun, it is all about terminology.
>
> I kept trying to import the root ca cert into the servers section of
> firefox. Firefox has another section called "authorities" which is
> where it needed to go. Once I imported the root ca from the tree into
> the authorities section, now the edir servers are not complaining when I
> go to their respective SSL sites.
>
> The same thing holds for IE. There is a personal section and a Trusted
> Root Cert Authorities.... Brain is working now..
>
> Thanks for the help.


>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLJsRbAAoJEF+XTK08PnB5RVcQAM0hjhij/yimH4iC7v0/PitO
4jB5Yc8TgYt3QgJBaVXZJ1GIQGBz/kikKXPqiMvOGCds7EfrYCM8cxxrDpIJf51L
PbsbsFyk3WC3iNfaxYih88CeBHzaptGezLZw62K+2L/nq2To+TniKO5P3+obrFhs
4f+jrrqja4B/UR0L08wlFerNU1Ft2Ox5tNKW5eXPlhMEZy7I3nQPwHzOl3zBO2RG
N/keHEGm1r+io4vYzrQitAio2MGb7o3Z86UxoO3DH+R0f38CFpNdiLoWInfjTU6Z
9txl+gWFDA9PgqqbSVv7kSRNbHBv+Md+0aYkM69QEWUiHZItg///jagE09JEq882
Q8fY8LJd1Wufj+/OL4guEs/lL+ONLuGNJ0h0ge+0KmHGzl8GaoekPkZugOvwMhEL
XuuqEmXAznb+VsYqGzQpCXHbwK8U2Z/bGQGyJVIh+Ymm1TESMsRXzi62ZLZOlI5j
XsEFCeuJ34hj84aZBdEmsPVzbK6B7Cbrqz9j1Z8Lq1dUBBdwauwX74/6+1ah5mkT
SxSYlMoWZ0Dr446mSRb7mCDNkjCmBeX8cN8dnbwdqVdFSmFlhsga5nV0vzmVBN2y
DBV36LINDkthPDPkf04P89Fl33MhRZsZRRn459/SSkRnHDLnMqFj9Q8S/MVy5Yu/
PkmKgcrEs6LrNtaDpfPC
=ogWN
-----END PGP SIGNATURE-----

0 new messages