I can't find the answer to this question online:
I have set an apache server with mod_ssl, using the guide at the bottom here:
https://help.ubuntu.com/10.04/serverguide/httpd.html
I am only using this privately to login to PHPMyAdmin and other control panels.
Using only SSL, is my connection securely encrypted, so logins are not passed as plain text? Or do I need a self-signed certificate?
Google Chrome says there is a certificate, but that it does not match the URL and that it is not trusted.
That tutorial says:
The default HTTPS configuration will use a certificate and key generated by the ssl-cert package. They are good for testing, but the auto-generated certificate and key should be replaced by a certificate specific to the site or server.
This means, that's there's a default certificate involved. You should generate your own certificate for personal use and look for nasty things when it changes during your connections. You can do that with tools like OpenSSL. If you want to secure a public site, you would need to buy a certificate from a respected authority, so plain users wouldn't be bothered to add the certificate to their browsers and they would also not track if that thing changes.
Related
I have a question regarding signing with SSL. I need to sign an application (.exe) written in Delphi. At the same time I also want to sign an Internet Portal with which the application communicate. My question is: does signing services generally provide also the certificate for the application either the certificate for the site? Can you sign the application with the same certificate or do you need another certificate? Can you sign multiple applications with the same certificate?
Thanks in advance.
Alberto
You need 2 certificates: One for code signing (that is, signing the .exe) and one for SSL (for the website).
You can not sign the application using the same cert as your are using for SSL.
You can sign as many applications with your code signing certificate as you like.
You may or may not use the SSL cert for multiple hosts (e.g.: blog.domain.com, www.domain.com, chat.domina.com, static.domain.com...), this depends on the type of certificate you are using.
Also: Please note that you can get free SSL certificates (e.g.: LetsEncrypt provides them, and azure website can use free "managed" certs from microsoft.). However, to my knowledge, there are no free code signing certificates.
I got a few e-mails yesterday warning me that some of my WHM self-assigned SSL certificates are going to expire. I did not setup the WHM originally, but according to their documentation self-assigned certificates are usually created during the WHM installation.
Services that need a new certificate:
cPanel/WHM/Webmail Service
Exim (SMTP) Server
Dovecot Mail Server
FTP Server
All on the same domain (which is our main domain that we use to access whm).
All current services have self-assigned certificates. I don't know the point of having a self-assigned certificates if they create browser errors anyway.
So I guess I have 2 questions:
Are there any issues that could arise from resetting the current certificates?
Do I have to have a certificate at all? Our main domain (that has all these certificates) doesn't use SSL.
I'm afraid I don't have experience of WHM, but I do have experience with ssl certificates, so hopefully this will be helpful anyway.
If there are any existing clients who have been using the services over SSL, they will have already been accepting the existing self-signed certificates, so they should be able to accept the new ones. Whether this will happen automatically probably depends on the client.
You say your main domain doesn't use ssl. However, are you just talking about a website? Are there, for example, email clients which are talking to your Exim server using secure SMTP or to dovecot using secure IMAP for example? If so, then they'd need the server to provide an ssl certificate (and they may need to accept the new self-signed certificate).
Self-signed certificates will cause browser security exceptions that need to be accepted by users and they don't provide a guarantee of identity in the same way that 'proper' certificates do, but at least they enable encryption to be used for communication.
I had installed SSL certs one one of my cloud server by following this:
http://www.rackspace.com/knowledge_center/article/installing-an-ssl-certificate-on-apache
I am running jetpack plugin on my wordpress blog. The jetpack plugin is not getting connected to wordpress. I have talked with the Jetpack support guys and they say this:
Support Reply
"The problem is that OpenSSL doesn't recognize your certificate's Certificate Authority's certificate. The that URL works in browsers is because most modern browsers allow for certificate discovery by reading the "Authority Information Access" metadata from the certificate, which contains a URL from which the browser can download the CA's certificate. OpenSSL does not.
The best solution is if you can configure your webserver to supply the entire SSL certificate chain, rather than just your own certificate. That's what we do on WordPress.com. Sending the entire chain will also make your sites more compatible with older (and I believe some mobile) browsers."
Can any one describe me how can I install or provide entire certificate chain???
Thanks
These pages might help with setting up a CA and then creating a certificate: https://help.ubuntu.com/community/OpenSSL#SSL_Certificates
https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html
I need to implement a SSL certificate for a website, I've got three questions after some research.
1) I believe i need to buy a SSL certificate and ask my host to install it. My question is do you need to alter any code for the website for the certificate?
2) Before I buy the certificate, the website is going to be built for a couple of month at least. I'm just wondering is there a developing SSL certificate I can use for the developing environment?
3) Or do I have to use self assigned certificate? If so are there any good tutorials on how to create a SSL self assigned certificate on a local machine (wamp) and a developing url site?
Thank you very much.
Sam :)
1) No, you do not need to alter any code on your website at all in order to use an installed SSL certificate. It is as simple as prefixing your desired destination link with the HTTPS: protocol specification instead of the typical HTTP: protocol. However, if you want to determine if your site visitor is using an encrypted page before they do something, such as submit a web form with potentially sensitive data, then depending on what you are developing your site in, you will need to detect if the current page request has been sent over HTTP or HTTPS, then if it is an HTTP requested page, you probably want to redirect the page request to the HTTPS version before proceeding.
2) Other than creating your own "self signed" certificate (more on this in #3), no your only option for a publicly valid SSL certificate is to obtain one from a publicly recognized Certificate Authority (CA). Long story short, a certificate of the same key length using the same encryption standard supported by your server and visitor's web browser, is no stronger or weaker regardless of vendor for purposes of encryption. So you can simply shop by price for your SSL certs. I have no affiliation with GoDaddy, but have been using them for years for public SSL certificates.
3) You certainly can create your own self signed certificate. The methods for doing this vary based on your host server and version. The limitation to a self signed certificate, is that if you go to share this with anyone, you get that warning message from your browser that the certificate is not published from a verifiable source. In most current browsers, it looks like a big scary message that something is wrong and they attempt to warn your user away from doing this. However, of course, there is certainly nothing wrong with using a self signed certificate. This is obviously true for your own development uses. Even a self signed certificate of the same key length and encryption method is as cryptographically secure as a commercially provided certificate. If you want to use a self signed certificate, just search for instruction for doing that for your server OS and version for details. Once it is installed, you will get the warning from your browser when you try to browse to a page over HTTPS. Your browser should show you an option to permanently remember and accept your self signed certificate, after which you will no longer see that warning while that certificate remains installed and valid.
I created ssl certificate using IIS 5.1 and generated a file certreq.txt. Now what is the next step to use this file. I am a developer and working on a site that is host on my local machine. Is is necessary to get license from any CA?
Please guide me ASAP.
You can create a self-signed cert, but that will not be very elegant for end users if this is a public website as there is the prompt about cert validity. Otherwise, yes you need to obtain a cert from a CA. I find the best is Verisign, although DEFINITELY not the cheapest. Others are Godaddy, CheapDomain, and pretty much any registrar can help with it.
The link is for 5.1, but you can find tutorials on all versions. For testing I would go the self signed route.
The certificate generated from IIS, is a self-signed certificate, which can be used to test your website. However, if you run a public website from a self-signed certificate, every user will get a warning that the site is not safe. You will eventually need to get a license from a CA when you are ready to publish your site. Your domain host should provide an SSL certificate service, for something like $50-150/yr.
You can either self sign the certificate or send it to the CA to avoid the do-not-trust this site prompt. SSLTools Manager is a nifty app that can send your csr to a CA. Not sure about the self-signing feature though.