Re: My bank has an invalid cert

Crypto Sal Thu, 25 Aug 2011 14:28:11 -0700

You typically import certs through the Firefox certificate manager foundvia "Edit -> Preferences -> Adv. -> Encryption -> View Certificates". Itshould be self explanatory from here. The only other question thatremains is which Root CA. That can only be done by reading thecertificate hierarchy that is presented by the bank's server, which itshould provide you upon making an s_client connection.



On 08/25/2011 05:15 PM, t...@terralogic.net wrote:

I know the theory.  I'm also a programmer.  I just never bothered to install a 
root cert before.  But I do know how to make them.

I'll dig around in FireFox and see where it is and how its done.

As for the bank.  We build it and they break it.  Not my fault.


On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote:

the answer lies with the people who wrote the software for the certificate 
store since the whole point is trust.

If users could manipulate the root certificate store, then it would be 
impossible to trust anything.

Generally, you can add certificates by double clicking them and choosing the 
correct answer (where to store, how much to trust)

You can open 'keychain access' on a Macintosh or use Windows MMC to delete 
certificates.

Banks are entirely sensitive to the issue of SSL and Certificates - they have 
to be. If your computer doesn't automatically trust your bank's certificates, 
then you either need to fix your computer or get a new bank.

The real answer to your problem is this... If you can't trust the root 
certificates that are part of your OS, then copy everything off the hard drive 
and re-install a fresh copy of your OS. That is the only way you can trust that 
your root certificates do what they are supposed to do.

Craig

On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote:

I already know its my certificate store.  I only asked how to load in their 
noew root cert

On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote:

Go to an entirely different computer and try accessing - you will know if it's 
your computer or their certificates.

If it's your computer, it's either your browser or your OS Certificate store 
(Windows and Macintosh use entirely different methods to accomplish).

Firefox uses it's own certificates... if it's Firefox on your computer... 
uninstall it completely and re-install it.

If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store 
and you will probably need to get the OS to update the Root Certificates.

This is all pretty much beyond what a user can manage but some users can manage 
them, but this is the wrong list... it would be an OS problem.

Craig

On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote:

TDWaterhouse  In Canada.  I'm in Calgary.  THose idjots tell me to reboot my 
computer when their Apache servers in TO send me a misconfiguration message.  I 
told them yesterday we build it and you break it.  Something is desperatly 
wrong.


On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote:

Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'.

If we had the bank URL, we would be able to better help you to resolve
this issue.


On 08/25/2011 01:45 PM, t...@terralogic.net wrote:

I know you are trying to help.  But it doesn't help me to defer to a package 
manager because I'm trying to fix what the last package managers screwed up.

On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote:

On Wed August 24 2011, t...@terralogic.net wrote:
Top posting to a hijacked thread is not the way to get
a quick and useful reply.
Next time, start your own. Mailing list threads are cheap.

I see my bank has an invalid cert.  Likely I have an old cert chain.  I'm 
running Debian Linux and firefox.

Use anyone of the distribution provided package managers to download and
install the most recently released package of certificates.

Can anyone tell me where to install a valid root cert?  Like what directory?
I would think the bank should be able to provide the root of the chain.
I'll need to know SPECICALLY what to ask them for.

Asking the operator of the site you wish to authenticate for the certificate
is similar to asking the Fox to guard your Chicken House.

Get the root certificate from an "independent", trusted, source.
Using your distribution's package management will take care of that concern.

I've created my own certs of course but just not recently.
Also I never tried to install the CA cert for firefox.

Your distribution's package manager already has that handled.
All you have to do is use it.

Mike
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

--
Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  craig.wh...@ttiltd.com
1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com

Need help communicating between generations at work to achieve your desired 
success? Let us help!

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

--
Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  craig.wh...@ttiltd.com
1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com

Need help communicating between generations at work to achieve your desired 
success? Let us help!

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: My bank has an invalid cert

Reply via email to