Re: OT: Looking for advice on SSL certs

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMRyan Barry at <-
.M 
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Michael Butash
Date:  
To: plug-discuss
Subject: Re: OT: Looking for advice on SSL certs
It's still encrypted, it's just not "trusted". I usually do this to ssl
encrypt a site, but don't care about the cert popup.

If it's something you control the clients (think enterprise AD
environment), you can always self-sign a ca, push the ca cert to clients
as a trusted ca (ie. windoze gpo auto-enroll push for cert
distribution), and you shouldn't get that anymore assuming the CN's are
valid. Or just make everyone using it install the CA cert as "trusted",
even with a self-signed CA cert. I have a quickie openssl recipe to
create, see below (for ubuntu, dir's may change for dists):

This is normally now an enterprise cert infrastructure is done,
specifically NOT using external trusts for internal applications, eap
for wired/wireless authentication/encryption, or whatever use.

#########
## 2) setup openssl for ca generation of certs for ssl

cd /etc/ssl

sudo vi openssl.cnf

## see appendix for details on what to change
#################################################
## notable changes to /etc/ssl/openssl.cnf

[ CA_default ] 

dir             = /etc/ssl        # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                         # several ctificates with same 
subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.


certificate     = $dir/certs/ca.local.pem    # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                         # must be commented out to 
leavea V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/ca.local.key    # The private key
RANDFILE        = $dir/private/.rand    # private random number file


x509_extensions = usr_cert              # The extentions to add to the cert


[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2


stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = $STATE$


localityName                    = Locality Name (eg, city)
localityName_default            = $SNMPLOCATION$


0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Company Organization, Inc.


organizationalUnitName          = Your Organizational Unit Name
organizationalUnitName_default  = Network Planning & Engineering


commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64


emailAddress                    = Your Email Address
emailAddress_default            = $SNMPCONTACT$
emailAddress_max                = 64


#################################################
## note: find/replace local your dns extension to the host
## find/replace ca01 and netmon01 as appropriate

sudo openssl req -new -x509 -extensions v3_ca -keyout
./private/ca.local.key -out ./certs/ca.local.pem -days 1461 -config
./openssl.cnf
sudo openssl req -new -nodes -out ./certs/$HOSTNAME$.$DOMAIN$.csr
-keyout ./private/$HOSTNAME$.$DOMAIN$.key -config ./openssl.cnf
sudo mkdir newcerts
sudo touch index.txt
sudo vi ./serial
## add to file "100001"
sudo openssl ca -out ./certs/$HOSTNAME$.$DOMAIN$.crt -config
./openssl.cnf -infiles ./certs/$HOSTNAME$.$DOMAIN$.csr
sudo su -
cd /etc/ssl/private
openssl rsa -in $HOSTNAME$.$DOMAIN$.key -out $HOSTNAME$.$DOMAIN$-clear.key
exit

-mb


On 03/13/2014 11:03 AM, Mark Phillips wrote:
>
> I would like to find an inexpensive (ie really cheap) ssl cert for a
> project I am working on. I have a self-signed certificate now, and I
> would like to get rid of the annoying warning messages.
>
> A side question. When I click on "continue" in the warning message, I
> connect to the site. However, the https in the Chrome browser bar is
> red and has a slash through it. Does that mean the traffic is not
> encrypted, or is it just another warning that the cert is not verified?
>
> All I need to do is encrypt the traffic between the browser and
> server. There is no e-commerce involved. The content contains some
> sensitive financial info, so I would like to encrypt it.
>
> I googled for cheap certs, and there are many providers, so I have no
> idea which ones are any good. If you have any experience with a
> particular provider, pleaser let me know.
>
> Thanks,
>
> Mark
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: OT: Looking for advice on SSL certsWhy is Firefox so slow (and degrades over time)?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)