On 22/10/2010, at 10:52 AM, James McGill wrote: > On Thu, Oct 21, 2010 at 2:40 PM, Scott Gray <[email protected]>wrote: > >> On 22/10/2010, at 10:21 AM, James McGill wrote: >> >>> On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <[email protected]> wrote: >>> >>>> No - just the usual error messages you would expect to see if it were >> the >>>> self signed cert we currently have installed in the demo box. >>>> >>>> >>>> >>> On a related note, I wonder if anyone has a simple cookbook example for >>> authorizing a self-signed cert to all the clients in a controlled, >> in-house >>> enterprise environment. We do not want to spend money on server certs >> for >>> what is strictly an internal application, but we have enough clients that >> it >>> is a problem to go through the steps of accepting a self-signed cert for >>> every user. I have tried making an internal CA, but I never succeeded in >>> getting browsers to automatically accept the CA and not ask for >> validation >>> on the server certs. I have complete control of the client, the server, >> and >>> the network, and I wish I could pre-load SSL authorization so that we >> have >>> the benefits of SSL other than the external CA part. >> >> >> You can configure your browser to always trust a self signed cert, google >> is your friend here and nothing about it is OFBiz specific. If the >> application is going to be accessed over the internet though then you are >> better off paying for a certificate which really isn't very expensive. >> > > Thanks -- I understand this, but doing it for hundreds of clients is a > pain.
Not sure I follow you there, hundreds of users or hundreds of deployments? Either way, browsers are setup to only trust certain signing authorities and there is no way to bypass that without reconfiguring each browser. IMO that is the pain and if you're doing it for any more than a few users then a proper certificate begins to make sense pretty quickly. > That's why I want to do something like create a private CA and include it in > a standard configuration. Everything below is a different topic, you're asking about installing a certificate in OFBiz/Tomcat and that process is the same regardless of how it was signed. I'm pretty sure people have documented it in the wiki but I don't do it often enough to be able to give you any useful info off the top of my head. > Google is not all that friendly in this case. I understand SSL and Cert > Authority pretty well, and have been able to accomplish the desired result > with Apache, but not with Catalina (or OFBiz). I posted here in hopes that > someone had, literally, a cookbook example of how to do it. > > Our OFBiz installation is not accessible from the internet in any way > whatsoever. It's strictly an internal service for a manufacturing > facility. > > Ok, so let's say Google is my friend. I fully understand the instructions > here: > http://www.initsix.co.uk/content/how-create-internal-certificate-authority > > I get this far and then fail to spark the gap between having this CA key, > generated cert, and then configuring all browsers in the facility so that > they will accept this and any other cert signed by that CA. There is also > some confusion as to how Apache HTTPD loads certs, versus how Tomcat handles > a keystore. I'm here to say that Google is not all that friendly on these > topics, and in my defense, I'm not exactly being ignorant or lazy here. > > -- > James McGill > Phoenix AZ
smime.p7s
Description: S/MIME cryptographic signature
