<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">It's still encrypted, it's just not
"trusted". I usually do this to ssl encrypt a site, but don't
care about the cert popup.<br>
<br>
If it's something you control the clients (think enterprise AD
environment), you can always self-sign a ca, push the ca cert to
clients as a trusted ca (ie. windoze gpo auto-enroll push for cert
distribution), and you shouldn't get that anymore assuming the
CN's are valid. Or just make everyone using it install the CA
cert as "trusted", even with a self-signed CA cert. I have a
quickie openssl recipe to create, see below (for ubuntu, dir's may
change for dists):<br>
<br>
This is normally now an enterprise cert infrastructure is done,
specifically NOT using external trusts for internal applications,
eap for wired/wireless authentication/encryption, or whatever use.<br>
<br>
#########<br>
## 2) setup openssl for ca generation of certs for ssl<br>
<br>
cd /etc/ssl<br>
<br>
sudo vi openssl.cnf<br>
<br>
## see appendix for details on what to change<br>
#################################################<br>
## notable changes to /etc/ssl/openssl.cnf<br>
<br>
[ CA_default ]<br>
<br>
dir = /etc/ssl # Where everything is kept<br>
certs = $dir/certs # Where the issued certs
are kept<br>
crl_dir = $dir/crl # Where the issued crl are
kept<br>
database = $dir/index.txt # database index file.<br>
#unique_subject = no # Set to 'no' to allow
creation of<br>
# several ctificates with
same subject.<br>
new_certs_dir = $dir/newcerts # default place for new
certs.<br>
<br>
certificate = $dir/certs/ca.local.pem # The CA certificate<br>
serial = $dir/serial # The current serial
number<br>
crlnumber = $dir/crlnumber # the current crl number<br>
# must be commented out to
leavea V1 CRL<br>
crl = $dir/crl.pem # The current CRL<br>
private_key = $dir/private/ca.local.key # The private key<br>
RANDFILE = $dir/private/.rand # private random number
file<br>
<br>
x509_extensions = usr_cert # The extentions to add to
the cert<br>
<br>
[ req_distinguished_name ]<br>
countryName = Country Name (2 letter code)<br>
countryName_default = US<br>
countryName_min = 2<br>
countryName_max = 2<br>
<br>
stateOrProvinceName = State or Province Name (full
name)<br>
stateOrProvinceName_default = $STATE$<br>
<br>
localityName = Locality Name (eg, city)<br>
localityName_default = $SNMPLOCATION$<br>
<br>
0.organizationName = Organization Name (eg, company)<br>
0.organizationName_default = Company Organization, Inc.<br>
<br>
organizationalUnitName = Your Organizational Unit Name<br>
organizationalUnitName_default = Network Planning &
Engineering<br>
<br>
commonName = Common Name (eg, YOUR name)<br>
commonName_max = 64<br>
<br>
emailAddress = Your Email Address<br>
emailAddress_default = $SNMPCONTACT$<br>
emailAddress_max = 64<br>
<br>
#################################################<br>
## note: find/replace local your dns extension to the host<br>
## find/replace ca01 and netmon01 as appropriate<br>
<br>
sudo openssl req -new -x509 -extensions v3_ca -keyout
./private/ca.local.key -out ./certs/ca.local.pem -days 1461
-config ./openssl.cnf<br>
sudo openssl req -new -nodes -out ./certs/$HOSTNAME$.$DOMAIN$.csr
-keyout ./private/$HOSTNAME$.$DOMAIN$.key -config ./openssl.cnf<br>
sudo mkdir newcerts<br>
sudo touch index.txt<br>
sudo vi ./serial<br>
## add to file "100001"<br>
sudo openssl ca -out ./certs/$HOSTNAME$.$DOMAIN$.crt -config
./openssl.cnf -infiles ./certs/$HOSTNAME$.$DOMAIN$.csr<br>
sudo su -<br>
cd /etc/ssl/private<br>
openssl rsa -in $HOSTNAME$.$DOMAIN$.key -out
$HOSTNAME$.$DOMAIN$-clear.key<br>
exit<br>
<br>
-mb<br>
<br>
<br>
On 03/13/2014 11:03 AM, Mark Phillips wrote:<br>
</div>
<blockquote
cite="mid:CAEqej2PKt0zLNUOG8tEYK3q7VJtV5gb6GY6=US00hJhSHHr3yA@mail.gmail.com"
type="cite">
<p dir="ltr">I would like to find an inexpensive (ie really cheap)
ssl cert for a project I am working on. I have a self-signed
certificate now, and I would like to get rid of the annoying
warning messages. </p>
<p dir="ltr">A side question. When I click on "continue" in the
warning message, I connect to the site. However, the https in
the Chrome browser bar is red and has a slash through it. Does
that mean the traffic is not encrypted, or is it just another
warning that the cert is not verified?</p>
<p dir="ltr">All I need to do is encrypt the traffic between the
browser and server. There is no e-commerce involved. The content
contains some sensitive financial info, so I would like to
encrypt it. </p>
<p dir="ltr">I googled for cheap certs, and there are many
providers, so I have no idea which ones are any good. If you
have any experience with a particular provider, pleaser let me
know.</p>
<p dir="ltr">Thanks,</p>
<p dir="ltr">Mark</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">---------------------------------------------------
PLUG-discuss mailing list - <a class="moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a></pre>
</blockquote>
<br>
</body>
</html>