On 22 Oct 2010, at 06:49, Scott Gray wrote: > On 22/10/2010, at 10:52 AM, James McGill wrote: > >> On Thu, Oct 21, 2010 at 2:40 PM, Scott Gray >> <[email protected]>wrote: >> >>> On 22/10/2010, at 10:21 AM, James McGill wrote: >>> >>>> On Thu, Oct 21, 2010 at 6:56 AM, Sam Hamilton <[email protected]> wrote: >>>> >>>>> No - just the usual error messages you would expect to see if it were >>> the >>>>> self signed cert we currently have installed in the demo box. >>>>> >>>>> >>>>> >>>> On a related note, I wonder if anyone has a simple cookbook example for >>>> authorizing a self-signed cert to all the clients in a controlled, >>> in-house >>>> enterprise environment. We do not want to spend money on server certs >>> for >>>> what is strictly an internal application, but we have enough clients that >>> it >>>> is a problem to go through the steps of accepting a self-signed cert for >>>> every user. I have tried making an internal CA, but I never succeeded in >>>> getting browsers to automatically accept the CA and not ask for >>> validation >>>> on the server certs. I have complete control of the client, the server, >>> and >>>> the network, and I wish I could pre-load SSL authorization so that we >>> have >>>> the benefits of SSL other than the external CA part. >>> >>> >>> You can configure your browser to always trust a self signed cert, google >>> is your friend here and nothing about it is OFBiz specific. If the >>> application is going to be accessed over the internet though then you are >>> better off paying for a certificate which really isn't very expensive. >>> >> >> Thanks -- I understand this, but doing it for hundreds of clients is a >> pain. > > Not sure I follow you there, hundreds of users or hundreds of deployments? > > Either way, browsers are setup to only trust certain signing authorities and > there is no way to bypass that without reconfiguring each browser. IMO that > is the pain and if you're doing it for any more than a few users then a > proper certificate begins to make sense pretty quickly.
Yes with a real SSL that works with all browsers now coming in around $11 a year or a free one that works with Firefox, Safari and Chrome perfectly why go to the extra effort of creating a CA? > >> That's why I want to do something like create a private CA and include it in >> a standard configuration. > > Everything below is a different topic, you're asking about installing a > certificate in OFBiz/Tomcat and that process is the same regardless of how it > was signed. I'm pretty sure people have documented it in the wiki but I > don't do it often enough to be able to give you any useful info off the top > of my head. > > >> Google is not all that friendly in this case. I understand SSL and Cert >> Authority pretty well, and have been able to accomplish the desired result >> with Apache, but not with Catalina (or OFBiz). I posted here in hopes that >> someone had, literally, a cookbook example of how to do it. >> >> Our OFBiz installation is not accessible from the internet in any way >> whatsoever. It's strictly an internal service for a manufacturing >> facility. >> >> Ok, so let's say Google is my friend. I fully understand the instructions >> here: >> http://www.initsix.co.uk/content/how-create-internal-certificate-authority >> >> I get this far and then fail to spark the gap between having this CA key, >> generated cert, and then configuring all browsers in the facility so that >> they will accept this and any other cert signed by that CA. There is also >> some confusion as to how Apache HTTPD loads certs, versus how Tomcat handles >> a keystore. I'm here to say that Google is not all that friendly on these >> topics, and in my defense, I'm not exactly being ignorant or lazy here. >> >> -- >> James McGill >> Phoenix AZ >
