On Sun, Jul 02, 2006 at 10:32:12PM +0200, FTP wrote:
> On Tue, Jun 27, 2006 at 05:03:52PM +0200, FTP wrote:
> > when I try to access the site via lynx I do get an SSL error message
> > moaning that I have a self-signed cert. After accepting this, the
> > page gets dispalyed. So it looks like the problem is with the CA?
> > How do I correct that? I found the a reference in
> > "manual/mod/mod_ssl/ssl_faq.html#ToC24" but mentions a "sign.sh"
> > script wich isn't present in the OBSD package.
>
> any chance to draw some attention to the above?
There are two basic solutions:
1. Get a certificate from a commercial CA - Verisign, Thawte,
and the like. This will be trusted by default in most applications,
especially browsers.
2. Create your own certificate, or whole CA chain. In this case,
you'll have to tell applications and visitors to accept the certificate.
I created my own CA, and had it sign one certificate per service. The
users then import the CA (in the ideal world) or just click 'accept
always' or the equivalent in their browser/mail client/... (in the real
world). [1]
If you want to go with the second option, Google has lots of HOWTO's.
It's not too difficult, but it does cost some work - and, being crypto,
finding out just why it doesn't work is not trivial.
Joachim
[1] And then complain when the certificate expires. Well, the CA has a
much longer lifetime...
