On Thu, Oct 21, 2010 at 2:40 PM, Scott Gray <[email protected]>wrote:
> On 22/10/2010, at 10:21 AM, James McGill wrote: > > > On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <[email protected]> wrote: > > > >> No - just the usual error messages you would expect to see if it were > the > >> self signed cert we currently have installed in the demo box. > >> > >> > >> > > On a related note, I wonder if anyone has a simple cookbook example for > > authorizing a self-signed cert to all the clients in a controlled, > in-house > > enterprise environment. We do not want to spend money on server certs > for > > what is strictly an internal application, but we have enough clients that > it > > is a problem to go through the steps of accepting a self-signed cert for > > every user. I have tried making an internal CA, but I never succeeded in > > getting browsers to automatically accept the CA and not ask for > validation > > on the server certs. I have complete control of the client, the server, > and > > the network, and I wish I could pre-load SSL authorization so that we > have > > the benefits of SSL other than the external CA part. > > > You can configure your browser to always trust a self signed cert, google > is your friend here and nothing about it is OFBiz specific. If the > application is going to be accessed over the internet though then you are > better off paying for a certificate which really isn't very expensive. > Thanks -- I understand this, but doing it for hundreds of clients is a pain. That's why I want to do something like create a private CA and include it in a standard configuration. Google is not all that friendly in this case. I understand SSL and Cert Authority pretty well, and have been able to accomplish the desired result with Apache, but not with Catalina (or OFBiz). I posted here in hopes that someone had, literally, a cookbook example of how to do it. Our OFBiz installation is not accessible from the internet in any way whatsoever. It's strictly an internal service for a manufacturing facility. Ok, so let's say Google is my friend. I fully understand the instructions here: http://www.initsix.co.uk/content/how-create-internal-certificate-authority I get this far and then fail to spark the gap between having this CA key, generated cert, and then configuring all browsers in the facility so that they will accept this and any other cert signed by that CA. There is also some confusion as to how Apache HTTPD loads certs, versus how Tomcat handles a keystore. I'm here to say that Google is not all that friendly on these topics, and in my defense, I'm not exactly being ignorant or lazy here. -- James McGill Phoenix AZ
