It's still encrypted, it's just not "trusted".  I usually do this to ssl encrypt a site, but don't care about the cert popup.

If it's something you control the clients (think enterprise AD environment), you can always self-sign a ca, push the ca cert to clients as a trusted ca (ie. windoze gpo auto-enroll push for cert distribution), and you shouldn't get that anymore assuming the CN's are valid.  Or just make everyone using it install the CA cert as "trusted", even with a self-signed CA cert.  I have a quickie openssl recipe to create, see below (for ubuntu, dir's may change for dists):

This is normally now an enterprise cert infrastructure is done, specifically NOT using external trusts for internal applications, eap for wired/wireless authentication/encryption, or whatever use.

#########
## 2) setup openssl for ca generation of certs for ssl

cd /etc/ssl

sudo vi openssl.cnf

## see appendix for details on what to change
#################################################
## notable changes to /etc/ssl/openssl.cnf

[ CA_default ]

dir             = /etc/ssl        # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/certs/ca.local.pem    # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leavea V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/ca.local.key    # The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = $STATE$

localityName                    = Locality Name (eg, city)
localityName_default            = $SNMPLOCATION$

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Company Organization, Inc.

organizationalUnitName          = Your Organizational Unit Name
organizationalUnitName_default  = Network Planning & Engineering

commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64

emailAddress                    = Your Email Address
emailAddress_default            = $SNMPCONTACT$
emailAddress_max                = 64

#################################################
## note: find/replace local your dns extension to the host
## find/replace ca01 and netmon01 as appropriate

sudo openssl req -new -x509 -extensions v3_ca -keyout ./private/ca.local.key -out ./certs/ca.local.pem -days 1461 -config ./openssl.cnf
sudo openssl req -new -nodes -out ./certs/$HOSTNAME$.$DOMAIN$.csr -keyout ./private/$HOSTNAME$.$DOMAIN$.key -config ./openssl.cnf
sudo mkdir newcerts
sudo touch index.txt
sudo vi ./serial
## add to file "100001"
sudo openssl ca -out ./certs/$HOSTNAME$.$DOMAIN$.crt -config ./openssl.cnf -infiles ./certs/$HOSTNAME$.$DOMAIN$.csr
sudo su -
cd /etc/ssl/private
openssl rsa -in $HOSTNAME$.$DOMAIN$.key -out $HOSTNAME$.$DOMAIN$-clear.key
exit

-mb


On 03/13/2014 11:03 AM, Mark Phillips wrote:

I would like to find an inexpensive (ie really cheap) ssl cert for a project I am working on. I have a self-signed certificate now, and I would like to get rid of the annoying warning messages.

A side question. When I click on "continue" in the warning message, I connect to the site. However, the https in the Chrome browser bar is red and has a slash through it. Does that mean the traffic is not encrypted, or is it just another warning that the cert is not verified?

All I need to do is encrypt the traffic between the browser and server. There is no e-commerce involved. The content contains some sensitive financial info, so I would like to encrypt it.

I googled for cheap certs, and there are many providers, so I have no idea which ones are any good. If you have any experience with a particular provider, pleaser let me know.

Thanks,

Mark



---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss