Web Server certificate question

ben.butler at w16.co.uk ben.butler at w16.co.uk
Tue Mar 24 13:41:20 EDT 2015


For internal use,  you can also create a certificte authority and then self sign your csr then also publish you root ca's public cert into the trusted list of CAs on the host / browser by click on a href link to it on a page then the ssl on the web page or other application wont break om the trust change.   This works well witin the perimiter of a corporate environment as you can get you CAs cert added easily to the hosts,  it is not practical when dealing with joe public as the signing chain will break as signed by a none recognised CA. 

Google certificate authoirty debian howto

Ben

On 24 March 2015 17:33:16 GMT+00:00, "Terence J. young, DC" <terry.young at journeymhc.org> wrote:
>Hi Jim,
>
>If the issuer is an intermediary issuing agent of a root level CA, the 
>you also ned to include a value for the SSLCACertificateFile directive.
>
>If you had wanted to use name base virtual hosts on the apache server, 
>you could have pruchased a wildcard certificate that would have a CN = 
>*.jimsdomain.com
>
>You could then have mutiple dns entries pointing to the same server and
>
>then serve up the same certificate, or separete certificates for each 
>virtual host.
>
>terry
>
>PS, you can view the contents of your cert with the following..
>
>openssl x509 -in /pathtocert/nameofcert -text
>
>
>
>
>On 3/24/15, 10:40 AM, Jim Pistrang wrote:
>> Hi Lou, Bruno, Andrew, others,
>>
>> I already have a trusted SSL certificate for jimsdomain.com installed
>on the server.  If I associate jimsdomain.com with the FIREWALL address
>will it all work?  In other words...
>>
>> 1) www.jimsdomain.com is mapped to the firewall IP address
>(12.345.67.89 in my example below)
>> 2) the url for the app is https:www.jimsdomain.com:5922/rfMyApp.htm>
>> 3) port 5922 is routed to the server
>> 3) the SSL certificate for www.jimsdomain.com is installed on the
>server
>>
>> Will this work?
>>
>> Thanks,
>>
>> Jim
>>
>> Lou said:
>>
>>> This is generally a constraint effected/controlled by the
>Certificate
>>> Authority. Generally speaking, the FQDN must match precisely the CN
>>> (Common Name) of the issued (sub-) certificate. You'd likely want to
>>> issue a server cert of the format myserver.JimsDomain.com. It's a
>common
>>> that a directly IP-addressed server would get choked on.
>>>
>>> This is all controlled by the 'rules' your issuing CA builds into
>its
>>> signing process - as well as any you determine, if you're issuing
>your
>>> own certs - as we do.
>> Bruno said:
>>> Server certificates are bound to a single dns name. Thus, ip
>adresses,
>>> localhost or any nickname you might use to call
>>> your server wil get you the same warning.
>> Andrew said:
>>> You need to generate a Certificate Signing Request (CSR) from the
>mac you
>>> are going to install on.
>>>
>>> It will then spit out a file and you need to submit the contents to
>your
>>> SSL provider, which when then send you a file back that you install
>on the
>>> server.
>>>
>>>
>>> It seems like you did not generate the CSR on the machine, and or
>you do
>>> not have a dedicated IP address for a SSL certificate.
>>   
>>> ----- Original Message -----
>>>
>>> From: "Jim Pistrang" <jim at jpcr.com>
>>> To: "Omnis List Mail" <omnisdev-en at lists.omnis-dev.com>
>>> Sent: Tuesday, March 24, 2015 10:50:52 AM
>>> Subject: Web Server certificate question
>>>
>>> Hi all,
>>>
>>> This isn't exactly an Omnis question, but it is related. Hope
>someone
>>> can help.
>>>
>>> I have an Omnis Javascript application running on a client site. The
>app
>>> is running on a Mac OS X Server inside their firewall. The app can
>be
>>> run from outside their firewall via a secure port in their firewall.
>>> When I do this, the url looks like this:
>>> <https://12.345.67.89:5922/rfMyApp.htm>
>>> In the above example, 12.345.67.89 is the IP address of the
>firewall,
>>> and port 5922 is a secure port opened to the server. Apache is
>listening
>>> on this port.
>>>
>>> This all works perfectly well, except that users get a warning
>saying
>>> that the site may not be secure. My client has asked that I purchase
>a
>>> trusted certificate for the site. I have done the following:
>>>
>>> 1) Gave the server a host name of jimsdomain.com
>>> 2) Registered jimsdomain.com and purchased a trusted certificate.
>[note:
>>> the domain name is not associated with an IP address]
>>> 3) Added the certificate in Server Manager on the server, and it
>shows
>>> up as valid
>>>
>>> BUT - I still get warning messages in my browser when I access the
>app,
>>> since the url that I type in <https://12.345.67.89:5922/rfMyApp.htm>
>>> does not match the certificate name 'jimsdomain.com'
>>>
>>> Is there a way to do this? Do I need to install a certificate on the
>>> firewall?
>>>
>>> Jim
>>>
>>> -- 
>>> Jim Pistrang
>>> JP Computer Resources
>>> 413-256-4569
>>> <http://www.jpcr.com>
>>>
>>>
>>> _____________________________________________________________
>>> Manage your list subscriptions at http://lists.omnis-dev.com
>>>
>>> _____________________________________________________________
>>> Manage your list subscriptions at http://lists.omnis-dev.com
>>>
>
>_____________________________________________________________
>Manage your list subscriptions at http://lists.omnis-dev.com

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.



More information about the omnisdev-en mailing list