[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: appache-ssl certificate woes

* Joyce, Matthew (MJoyce@ccia.org.au) [030501 22:23]:
> Hi,
> I have a woody/appache-ssl/imp webmail system, which has been working fine.
> This week I have been playing with stunnel on that machine and now my mac
> users cannot connect to the webmail.
> "the certificate is invalid"
> When I try using a PC I am offered to accept/decline/view the cert, this is
> normal, and it still works if I accept.
> The same thing used to happen on the Macs.
> Any ideas what I have done, and how I can fix it ?

Well, here's an idea, but I'm not sure it'll work for your particular
case (I've never tested IE/mac's behavior).  For my own certs, I have
created a CA keypair, and all of my certs are signed by that key.  I
made the CA's cert available for download and instructed my clients to
go to that URL and tell their browser to accept the cert and use it to
certify web servers.  Now, whenever they use any of my ssl services
signed by my CA key, they don't get hassled any more than if I was using
a verisign cert (no errors, no warnings, it just works).

If you want to test to see if this approach will work before going
through the process of creating the CA and re-creating certs for your
https service, you can try to see what happens with that browser at


If it asks you if you want to accept the cert, then it should work.
I've tested it with IE/win, mozilla/win and mozilla/linux.
After accepting the CA cert once, all of the signed certs just work for
https, imap/ssl, etc.  Anything that uses the same certificate store on
the client will be happy.  That means do it once in your mozilla
browser, and it just works for mozilla mail.  Do it in IE, and it works
in outlook and OE (And various 3rd-party apps that use IE's security

good times,
						--Nick Moffitt
A: No.
Q: Should I include quotations after my reply?

Attachment: pgpf2Q_WfBam4.pgp
Description: PGP signature

Reply to: