It's still encrypted, it's just not "trusted". I usually do this to ssl encrypt a site, but don't care about the cert popup. If it's something you control the clients (think enterprise AD environment), you can always self-sign a ca, push the ca cert to clients as a trusted ca (ie. windoze gpo auto-enroll push for cert distribution), and you shouldn't get that anymore assuming the CN's are valid. Or just make everyone using it install the CA cert as "trusted", even with a self-signed CA cert. I have a quickie openssl recipe to create, see below (for ubuntu, dir's may change for dists): This is normally now an enterprise cert infrastructure is done, specifically NOT using external trusts for internal applications, eap for wired/wireless authentication/encryption, or whatever use. ######### ## 2) setup openssl for ca generation of certs for ssl cd /etc/ssl sudo vi openssl.cnf ## see appendix for details on what to change ################################################# ## notable changes to /etc/ssl/openssl.cnf [ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/certs/ca.local.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leavea V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/ca.local.key # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $STATE$ localityName = Locality Name (eg, city) localityName_default = $SNMPLOCATION$ 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Company Organization, Inc. organizationalUnitName = Your Organizational Unit Name organizationalUnitName_default = Network Planning & Engineering commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Your Email Address emailAddress_default = $SNMPCONTACT$ emailAddress_max = 64 ################################################# ## note: find/replace local your dns extension to the host ## find/replace ca01 and netmon01 as appropriate sudo openssl req -new -x509 -extensions v3_ca -keyout ./private/ca.local.key -out ./certs/ca.local.pem -days 1461 -config ./openssl.cnf sudo openssl req -new -nodes -out ./certs/$HOSTNAME$.$DOMAIN$.csr -keyout ./private/$HOSTNAME$.$DOMAIN$.key -config ./openssl.cnf sudo mkdir newcerts sudo touch index.txt sudo vi ./serial ## add to file "100001" sudo openssl ca -out ./certs/$HOSTNAME$.$DOMAIN$.crt -config ./openssl.cnf -infiles ./certs/$HOSTNAME$.$DOMAIN$.csr sudo su - cd /etc/ssl/private openssl rsa -in $HOSTNAME$.$DOMAIN$.key -out $HOSTNAME$.$DOMAIN$-clear.key exit -mb On 03/13/2014 11:03 AM, Mark Phillips wrote: > > I would like to find an inexpensive (ie really cheap) ssl cert for a > project I am working on. I have a self-signed certificate now, and I > would like to get rid of the annoying warning messages. > > A side question. When I click on "continue" in the warning message, I > connect to the site. However, the https in the Chrome browser bar is > red and has a slash through it. Does that mean the traffic is not > encrypted, or is it just another warning that the cert is not verified? > > All I need to do is encrypt the traffic between the browser and > server. There is no e-commerce involved. The content contains some > sensitive financial info, so I would like to encrypt it. > > I googled for cheap certs, and there are many providers, so I have no > idea which ones are any good. If you have any experience with a > particular provider, pleaser let me know. > > Thanks, > > Mark > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss