# SSL certificate questions

## karl420

Ok,

I followed the gentoo virtual mailhosting howto to create a mail system. With the SSL certs that I made following the guide, a web browser or mail client using SSL has to accept my certificate. It says that I am an untrusted source. Is that because I dont want to pay verisign $400 a year, or am I missing out on something here (maybe my certs aren't right?)?

Thanks,

Karl

----------

## vector0319

karl420,

Yes you are correct. The mail client will ask to accept the cert because it is a self signed certificate. I setup a full certificate authority(CA) locally and it still asks you if you want to accept it. If you are using a good email client then it will allow you to accept for the life of the cert (one year if you followed the howto exactly). So unless you want to fork out the money for a "trusted source" then this is a small pain to deal with. I have read some pages about getting a local CA to be a trusted source (aka not give an annoying message to the users), but was unsuccessful at doing it. 

I didn't follow the gentoo guide, but I looked at it and the ssl stuff is basically the same as what I did for UW-IMAP. Hope this helps,

vector

----------

## karl420

Thanks a lot for the help! That does clear things up a little, and I was hoping that wasn't the problem, but assumed that it was.

Anyway - so I'm still going through an SSL tunnel, and the data is just as secure, right?

Karl

----------

## vector0319

 *karl420 wrote:*   

> Anyway - so I'm still going through an SSL tunnel, and the data is just as secure, right?

 

karl420,

Yep the data is secure. You can test it out with a great program called ettercap. It allows you to watch connections from two machines and see the data going over your imap or www connections. It's so kewl to watch the traffic without ssl go over as plain text and see all the emails fly by and then turn ssl on and seeing the beauty of a secure gobbledygook connection. 

vector

----------

## karl420

Thank you SO much for your help!!

If there is anything I can do for you let me know. (Hosting, etc)

Karl

----------

## karl420

OK,

I think I've now figured out how to make my certificate trusted on any windows mahcine. You get the cacert.pem, and run

```
openssl x509 -in cacert.pem -out cacert.crt
```

Then let the windows user download that file, double-click on it, then choose to install it in the "Trusted Root Authority Store".

I just have one problem. It still gives a warning, saying that the certificate is trusted, but the name doesn't match the site?

Also, this certificate seems to be installed in Windows (you access certs through Control Panel->Users and Passwords-Advanced Tab) but, Outlook still says that the root cert is not verified.

Any input is appreciated,

Karl Haines

----------

## paranode

 *karl420 wrote:*   

> I just have one problem. It still gives a warning, saying that the certificate is trusted, but the name doesn't match the site?

 

The Common Name (CN) must be the exact DNS name the user typed to get to the site.  For example, if it was www.google.com, that must be the CN.  You couldn't just use the IP address or localhost or anything else (unless that was the only way to access it).

----------

## cdunham

 *karl420 wrote:*   

> I dont want to pay verisign $400 a year

 

I imagine your target price is about $0, as mine is, but I just got one for a server that needed it from GeoTrust (http://www.geotrust.com/webtrust/index.htm) for $149.

Quite nice online signup, phone verification, and supporting competition in a market that desperately needs it...

I have no interest in the company or anything, just thought I'd pass it on...

----------

## puggy

Wow. ettercap is great. Never used that before. Now I can watch all my own trafic flowing around the network. Err, useful. Cool though. Good to see my ssl is working properly. 

Cheers vector0319

EDIT: Ok. I was quite impressed before, but now I've experimented some more..... now I'm on a power trip. I can kill connections between computers and all sorts. Brilliant, I wish I discovered this last year, bye bye housemates bittorrent connections.  :Very Happy:  Only kidding, wouldn't do that, but this package is seriously useful. *Experiments further*

EDIT: Time for a security rethink methinks. ssl all the way from now on.

Puggy

----------

## vector0319

ettercap is a great utility. I'm glad you like it. It has many uses and allows you to monitor unsecure traffic and use ssl like you mentioned to lock down insecure traffic. I especially like to use it on the firewall and just watch as the passive os detection finds hundreds of sites per minute. It's interesting when you see a microsoft.com domain fly by and it lists it as a linux box  :Razz: 

----------

## sidkdbl07

 *Quote:*   

> The Common Name (CN) must be the exact DNS name the user typed to get to the site.  For example, if it was www.google.com, that must be the CN.  You couldn't just use the IP address or localhost or anything else (unless that was the only way to access it).

 

Where do I set this CN value?

----------

## sidkdbl07

Ah....when you create the certificate it asks you fo the information (including CN value)

Cheers!

----------

