Article

(View Disclaimer)

Problem

A Forum reader recently asked:

"When accessing WebAccess via https, I get the following error:

Website certified by uknown authority 
Unable to verify the identity of hbg65.hbrentals.com as a trusted site.
Security error: Doman name mismatch
You have attempted to establish a connection with "mail.acme.com".
However, the security certificate presented belongs to "hbg65.acme.com". 
It is possible, though, unlikely, that someone may be trying to intercept your communication with this website.

The server that generates the SSL certificate is named hbg65. How do I get rid of this annoying error?"

And here's the response from Jim Michael ...

Solution

There are two issues going on here:

1) The certificate is generated for the server name, which doesn't match the DNS hostname you use to get to the site. This can be fixed by creating a new KMO (ndspki: Key Material object) and using (in your case) mail.acme.com and then configuring Apache to use THAT
certificate. However, you will still have another problem ...

2) All certificates you generate yourself (via the Novell certificate server) are, by definition, un-trusted, because there's no way every browser in the world can automatically know (trust) the "certificate authority" (YOU) that generated it. Real commercial certificates are signed by certificate authorities well-known to all browsers, thus they inherently "trust" certificates signed by them (Verisign, Thawte, Digicert, etc.).

The only way to fix this second issue is to keep using your own self-signed certificate and manually IMPORT it into the browser, after which it will "trust" your CA and won't nag you about it. Or, you can purchase a commercial certificate from a real certificate authority.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.