fc wrote:
> When connecting to a secured site, with a site certificate issued from a > certificate authority not recognised by NN 4.7, I have a "New Site > Certificate" wizard. > > > How can I fill this wizard programmatically ? You can understand the need for us not to have a way to make this happen automatically and quietly from just any web site. Doing so could allow an attacker to load an untrusted site certificate into a user's cert database and masquerade as anyone he wants. > > I can run whatever program on the client PC. It is for a secured intranet > and the customer does not want users to see and fill this wizard for its own > server. I need a little more info on your environment. I'm going to assume that these users are all under administrative control of your customer. The only way to get the effect that you want is to get your customer's CA loaded into all the users's cert databases. You have a couple of options: 1) download using NN 4.7, 2) using an external program to load the root cert into the database, 3) providing a pre loaded database to your users. Option 1 is far and away the easiest and safest to implement, but requires user participation. You export your CA certificate on a web server with the appropriate MIME type. Direct your users (perhaps from your hope page) to this page, with appropriate documentation. This step will generate a dialog to the user (again, we don't want to allow some malicious attacker to silently introduce a new CA certificate), but once the CA cert is loaded, then you can issue as many server certs as you wish from this CA. Most CA software (like Netscape Certificate Management System) automatically provides a page you can direct users to to download the CA. Option 2 would be to use some program like certutil (from mozilla/security/nss/cmd/cerutil) to add a new CA cert with the appropriate trust to the user's db. This option requires 1) the update happen when Netscape is shutdown, and 2) access to the users hard drive and profile area. Option 3 would be to use a program like certutil to generate a cert7.db file which has the CA pre-loaded, then distributing that cert7.db file. This is by far the least attractive. It won't work if the user had email or SSL client auth certificates. It really is only interesting if you are installing new systems, not upgrading systems. If users aren't under your administrative control, my suggestion would be to go get a certificate which has been issued by one of the several CA's that are already in the NN 4.7 database. > > Thanks. > > Francois. > > > > >
