Novell Home

Avoiding Certificate Errors in WebAccess

Novell Cool Solutions: Tip
By Jim Michael

Digg This - Slashdot This

Posted: 27 Mar 2007
 

Problem

A Forum reader recently asked:

"When accessing WebAccess via https, I get the following error:

Website certified by uknown authority 
Unable to verify the identity of hbg65.hbrentals.com as a trusted site.
Security error: Doman name mismatch
You have attempted to establish a connection with "mail.acme.com".
However, the security certificate presented belongs to "hbg65.acme.com". 
It is possible, though, unlikely, that someone may be trying to intercept 
your communication with this website.

The server that generates the SSL certificate is named hbg65. How do I get rid of this annoying error?"

And here's the response from Jim Michael ...

Solution

There are two issues going on here:

1) The certificate is generated for the server name, which doesn't match the DNS hostname you use to get to the site. This can be fixed by creating a new KMO (ndspki: Key Material object) and using (in your case) mail.acme.com and then configuring Apache to use THAT certificate. However, you will still have another problem ...

2) All certificates you generate yourself (via the Novell certificate server) are, by definition, un-trusted, because there's no way every browser in the world can automatically know (trust) the "certificate authority" (YOU) that generated it. Real commercial certificates are signed by certificate authorities well-known to all browsers, thus they inherently "trust" certificates signed by them (Verisign, Thawte, Digicert, etc.).

The only way to fix this second issue is to keep using your own self-signed certificate and manually IMPORT it into the browser, after which it will "trust" your CA and won't nag you about it. Or, you can purchase a commercial certificate from a real certificate authority.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell