SSL Certificates

[Ed Kasky <ed@es...>]

Being new at ssl - bear with me if I screw this up:

I just installed ssl capabilities onto a RH 6.1 box with Webmin 0.86.

When I connect to the machine via https://host:10000

I get a message saying that
- The security certificate is from a trusted certifying authority.
- the security certificate date is valid.
- The name on the security certificate does not match the
    name on the site.

I click yes to proceed and all goes well - but how do I fix the name on the=
=20
certificate so that it matches the name of the site?

Thanks in advance....

Ed
~~
Ed Kasky
Los Angeles, CA
. . . . . . . .
Minds are like parachutes.=A0 They work best when open.

RE: SSL Certificates

[Craig White <craigwhite@az...>]

> -----Original Message-----
> From: webadmin-list-admin@...
> [mailto:webadmin-list-admin@...]On Behalf Of Ed Kasky
> Sent: Thursday, June 28, 2001 5:52 PM
> To: webadmin-list@...
> Subject: SSL Certificates
>
>
> Being new at ssl - bear with me if I screw this up:
>
> I just installed ssl capabilities onto a RH 6.1 box with Webmin 0.86.
>
> When I connect to the machine via https://host:10000
>
> I get a message saying that
> - The security certificate is from a trusted certifying authority.
> - the security certificate date is valid.
> - The name on the security certificate does not match the
>     name on the site.
>
> I click yes to proceed and all goes well - but how do I fix the
> name on the
> certificate so that it matches the name of the site?
>
> Thanks in advance....
>
> Ed
---------
Personally, I wouldn't bother because it's work and it doesn't solve the
problem of being asked to ok the certificate presented - which will always
come up if the certificate isn't from a trusted source, i.e. Thawte,
Verisign or others.

But that doesn't answer the question...

you can generate your own self-signed certificate

use
this...<http://www.redhat.com/support/manuals/RHL-7-Manual/ref-guide/ch-secu
ring.html> I know that it's about RH7 but it should be the same for 6.2 -
after you create the 'pem' certificate - you can use webmin configuration to
use that certificate.

Craig

Re: SSL Certificates

[Robert Bossecker <Robert.Bossecker@fr...>]

Ed Kasky wrote:
> 
> Being new at ssl - bear with me if I screw this up:
> 
> I just installed ssl capabilities onto a RH 6.1 box with Webmin 0.86.
> 
> When I connect to the machine via https://host:10000
> 
> I get a message saying that
> - The security certificate is from a trusted certifying authority.

I wonder why the CA is trusted, because this should only the case
if the CA is already known to your browser, and i know no
CA which is willing to sign a certificate for hostname "*".

> - the security certificate date is valid.
> - The name on the security certificate does not match the
>     name on the site.


I assume you are using MSIE for some reason :-),
My experiences with MSIE are that MSIE does
not recognice wild card certificates. The default SSL certificate
for webmin is a self signed Ceritificate with a Common Name of "*",
so it will match every hostname. Netscape handles this syntax
correctly. Also Netscape can handle constructs like this
(www|mail).domain.com as the common name, so you can access the same
server with
both names http://www.domain.com or mail.domain.com, MSIE will complain.
But nevertheless a certificate which does not reflect the original
hostname may only be a temporary solution. Take yourself some time
to learn how to setup a Certifcation Authority by yourself or buy
some certificate from Verisign or Thawte. Those certificates must
be renewed yearly otherwise your browsers will complain again that
the certificate is expired :-).
For a intranet or extranet with limited external users it may be
feasible to use a self generated CA Certificate with a lifetime
of 5 to 10 years to sign all server certificates with, so you do
not have to fiddle with each new certificate to be accepted by
the browsers used, only your CA certificate has to be known by the
browser.

Also instruct users not to click always on "OK" or "Continue" if 
there are complaints about certificates, this opens a big hole for
"men in the middle" attacks. But as it is always, the users are the
biggest security risks sometimes :-).

> 
> I click yes to proceed and all goes well - but how do I fix the name on the
> certificate so that it matches the name of the site?
> 
> Thanks in advance....
> 
> Ed
> ~~
> Ed Kasky
> Los Angeles, CA
> . . . . . . . .
> Minds are like parachutes.  They work best when open.
> 
> -
> Forwarded by the Webmin mailing list at webadmin-list@...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list

-- 
Robert Bossecker  | Fresenius AG, Bad Homburg, Germany
UNIX-Systemmanager| Phone: +49 6172 608 7677
                  | Fax  : +49 6172 608 7858
                  | Email: Robert.Bossecker@...