[OPEN-ILS-DEV] Certificate question

Bill Ott bott at grpl.org
Fri Jun 6 11:27:37 EDT 2008


Robert said the following on 06/06/2008 10:16 AM:
> Originally I was able to permanently accept the self-signed 
> certificate in the staff client. That certificate was only valid for 1 
> month and once that month was up it started prompting me for it again. 
> I was able to recreate the certificate with a time limit of 1 year but 
> now it won't permanently accept it. Why was I able to permanently 
> accept it the first time but not this time?

You should be able to.  Just remove the existing cert and replace it 
with a new one.  The option to add more than a month is provided with 
the -days arg.  This example will set you up for over 2 1/2 years.
   e.g.   openssl req -new -x509 -nodes -days 999 -out server.crt 
-keyout server.key

You'll need to restart apache.


If you're client is the problem (and I don't know why it would be), to 
reset your client and let it replace any existing cert info, remove the 
cert8.db and key.db files from the OpenILS profile.  Under Windows, 
probably found under:
   C:\Documents and Settings\<user>\Application 
Data\OpenILS\openils_ils_staff_client\Profiles\<random string>\


Having said that, Dan's correct about purchasing a cert if you're going 
to be using this in production, otherwise patrons will be prompted to 
accept a certificate from this "unknown" signer for any SSL traffic 
(e.g. My Account), and I.E. 7 in particular has a really nasty dialog 
that reports this as "Not Recommended" to the user.


>
> On Fri, Jun 6, 2008 at 10:12 AM, Dan Scott <denials at gmail.com 
> <mailto:denials at gmail.com>> wrote:
>
>     2008/6/6 Robert <glibrarysystem at gmail.com
>     <mailto:glibrarysystem at gmail.com>>:
>     > How can I import the certificate into the staff client on a
>     windows machine
>     > so that I don't have to accept it every time I start the staff
>     client? I
>     > have tried to import it through the normal means, internet
>     options ->
>     > content -> certificates but it still asks me to accept it after
>     that. Also,
>     > I can't accept it permanently when it asks. I click the radio
>     button for
>     > Accept this certificate permanently and then click ok but it
>     brings the same
>     > screen back up every time I do it. The only way I can get it to
>     continue on
>     > loading the staff client is to temporarily accept the
>     certificate for the
>     > session. Does anyone have any suggestions as to how to make this
>     permanent?
>
>     Hi Robert:
>
>     I'm not sure it's possible to permanently accept a self-signed
>     certificate in the staff client - particularly through Windows'
>     certificate methods, which I believe would only affect Internet
>     Explorer. The staff client is built on Mozilla XUL which uses a
>     separate means of ensuring secure communications.
>
>     If you purchase and deploy a SSL certificate from a trusted certified
>     authority, I believe that you won't be prompted to accept the
>     certificate at all (until it expires, etc). There are a number of web
>     sites that provide more information about SSL, and that describe how
>     to purchase and deploy certified SSL keys: here's one -
>     http://www.sitepoint.com/article/securing-apache-2-server-ssl
>
>     --
>     Dan Scott
>     Laurentian University
>
>

-- 


More information about the Open-ils-dev mailing list