[OPEN-ILS-DEV] Certificate question

Robert glibrarysystem at gmail.com
Fri Jun 6 12:53:32 EDT 2008


Bill,

  Yeah I did remove the server.crt and server.key from the /etc/apache/ssl
directory and created a new one that was valid for a year already. I also
restarted apache. That didn't work either. Then I tried to restart the
entire server. Still asked to accept the certificate. Like I said, I don't
know why it let me accept it permanently the first time but this time it
won't. I'll check into getting a certificate from and CA but we are still in
the testing phase right now and I don't want to necessarily purchase the
cert before I know for sure that we are going to be switching over to
Evergreen. Thanks for the thoughts though.

On Fri, Jun 6, 2008 at 11:27 AM, Bill Ott <bott at grpl.org> wrote:

> Robert said the following on 06/06/2008 10:16 AM:
>
>> Originally I was able to permanently accept the self-signed certificate in
>> the staff client. That certificate was only valid for 1 month and once that
>> month was up it started prompting me for it again. I was able to recreate
>> the certificate with a time limit of 1 year but now it won't permanently
>> accept it. Why was I able to permanently accept it the first time but not
>> this time?
>>
>
> You should be able to.  Just remove the existing cert and replace it with a
> new one.  The option to add more than a month is provided with the -days
> arg.  This example will set you up for over 2 1/2 years.
>  e.g.   openssl req -new -x509 -nodes -days 999 -out server.crt -keyout
> server.key
>
> You'll need to restart apache.
>
>
> If you're client is the problem (and I don't know why it would be), to
> reset your client and let it replace any existing cert info, remove the
> cert8.db and key.db files from the OpenILS profile.  Under Windows, probably
> found under:
>  C:\Documents and Settings\<user>\Application
> Data\OpenILS\openils_ils_staff_client\Profiles\<random string>\
>
>
> Having said that, Dan's correct about purchasing a cert if you're going to
> be using this in production, otherwise patrons will be prompted to accept a
> certificate from this "unknown" signer for any SSL traffic (e.g. My
> Account), and I.E. 7 in particular has a really nasty dialog that reports
> this as "Not Recommended" to the user.
>
>
>
>> On Fri, Jun 6, 2008 at 10:12 AM, Dan Scott <denials at gmail.com <mailto:
>> denials at gmail.com>> wrote:
>>
>>    2008/6/6 Robert <glibrarysystem at gmail.com
>>    <mailto:glibrarysystem at gmail.com>>:
>>
>>    > How can I import the certificate into the staff client on a
>>    windows machine
>>    > so that I don't have to accept it every time I start the staff
>>    client? I
>>    > have tried to import it through the normal means, internet
>>    options ->
>>    > content -> certificates but it still asks me to accept it after
>>    that. Also,
>>    > I can't accept it permanently when it asks. I click the radio
>>    button for
>>    > Accept this certificate permanently and then click ok but it
>>    brings the same
>>    > screen back up every time I do it. The only way I can get it to
>>    continue on
>>    > loading the staff client is to temporarily accept the
>>    certificate for the
>>    > session. Does anyone have any suggestions as to how to make this
>>    permanent?
>>
>>    Hi Robert:
>>
>>    I'm not sure it's possible to permanently accept a self-signed
>>    certificate in the staff client - particularly through Windows'
>>    certificate methods, which I believe would only affect Internet
>>    Explorer. The staff client is built on Mozilla XUL which uses a
>>    separate means of ensuring secure communications.
>>
>>    If you purchase and deploy a SSL certificate from a trusted certified
>>    authority, I believe that you won't be prompted to accept the
>>    certificate at all (until it expires, etc). There are a number of web
>>    sites that provide more information about SSL, and that describe how
>>    to purchase and deploy certified SSL keys: here's one -
>>    http://www.sitepoint.com/article/securing-apache-2-server-ssl
>>
>>    --
>>    Dan Scott
>>    Laurentian University
>>
>>
>>
> --
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://list.georgialibraries.org/pipermail/open-ils-dev/attachments/20080606/3ce5b7f4/attachment.html


More information about the Open-ils-dev mailing list