Thanks you for your informative answer. I will try option 2.
Francois Compagne. "Robert Relyea" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > fc wrote: > > > When connecting to a secured site, with a site certificate issued from a > > certificate authority not recognised by NN 4.7, I have a "New Site > > Certificate" wizard. > > > > > > How can I fill this wizard programmatically ? > > > You can understand the need for us not to have a way to make this happen > automatically and quietly from just any web site. Doing so could allow > an attacker to load an untrusted site certificate into a user's cert > database and masquerade as anyone he wants. > > > > > > I can run whatever program on the client PC. It is for a secured intranet > > and the customer does not want users to see and fill this wizard for its own > > server. > > > I need a little more info on your environment. I'm going to assume that > these users are all under administrative control of your customer. > > The only way to get the effect that you want is to get your customer's > CA loaded into all the users's cert databases. You have a couple of > options: 1) download using NN 4.7, 2) using an external program to load > the root cert into the database, 3) providing a pre loaded database to > your users. > > Option 1 is far and away the easiest and safest to implement, but > requires user participation. You export your CA certificate on a web > server with the appropriate MIME type. Direct your users (perhaps from > your hope page) to this page, with appropriate documentation. This step > will generate a dialog to the user (again, we don't want to allow some > malicious attacker to silently introduce a new CA certificate), but once > the CA cert is loaded, then you can issue as many server certs as you > wish from this CA. Most CA software (like Netscape Certificate > Management System) automatically provides a page you can direct users to > to download the CA. > > Option 2 would be to use some program like certutil (from > mozilla/security/nss/cmd/cerutil) to add a new CA cert with the > appropriate trust to the user's db. This option requires 1) the update > happen when Netscape is shutdown, and 2) access to the users hard drive > and profile area. > > Option 3 would be to use a program like certutil to generate a cert7.db > file which has the CA pre-loaded, then distributing that cert7.db file. > This is by far the least attractive. It won't work if the user had email > or SSL client auth certificates. It really is only interesting if you > are installing new systems, not upgrading systems. > > > If users aren't under your administrative control, my suggestion would > be to go get a certificate which has been issued by one of the several > CA's that are already in the NN 4.7 database. > > > > > > Thanks. > > > > Francois. > > > > > > > > > > >
