Self signed certs question

drmike

Do most if not all browsers still reject self signed ssl certificates? Just wondering.

Francisco

I'm fairly sure all of them ignore it since it can't be verified at all no?

Francisco

justinb

Not reject ~ Its just warning ,not hard reject like diginotar or something

yomero

Some way to force Chrome to allow specific self signed certs?

I have tried Opera and it can do it

kiloserve

yomero said: Some way to force Chrome to allow specific self signed certs?

I did this a long time ago so the steps might not be exact but it should be close:

1) Go to self-signed site
2) Right Click on lock in address bar
3) "Get Certificate Info" and a new box will pop up
4) Check the tabs, there is a "Save to file" button.
5) Save certificate somewhere you can remember with .cer extension
6) Go to Chrome OPTIONS --> Under the Hood --> Manage Certificates
7) Import Certificate you saved earlier

Maybe there is an easier way to do it but this works.

MrAndroid

yomero said: Some way to force Chrome to allow specific self signed certs?

You have to allow it per certificate, I know on OS X you can add it to your keychain, and it will accept it system wide.

yomero

Thanks kiloserve, seems that didn't worked u_u I will try with other cert later. It seems that I need to add them to the OS repository (at this moment Windows and as Daniel says, to the OSx keychain).

kylix

Do most if not all browsers still reject self signed ssl certificates? Just wondering.

The SSL-certificates is the income the browser creators have. They won't cut that flow of money.

MrAndroid

@kylix How's that?

marrco

@drmike instead of a self signed you can use a free one. See startssl.com

kylix

@Daniel: Web browsers and ftp clients transparently accept SSL certificates signed by certificate providers who pay to have this functionality enabled in those clients. You need an audit to have your root-cert included, which is handled i.e. by webtrust.org. It costs ~$75,000 up-front plus ~$10,000 per year.

MrAndroid

@kylix But a lot of web browsers don't manage their own SSL certificates, they use the ones in the OS

kylix

@Daniel: Firefox manages it owns. I don't know about IE or other browsers and I've never heard that the OS deals with SSL-certificates. But I guess you have to pay the OS-producer then, too.

rm_

Get a http://www.cacert.org/ certificate, it's much better than self-signed - it's free, full-featured (e.g. multi-domain) and accepted as valid at least by some operating systems and browsers: https://secure.wikimedia.org/wikipedia/en/wiki/CACert#Inclusion_status
If your browser doesn't, you can manually install the CACert root certificate in it, and then never get a warning on CACert-signed websites, not having to add exception for each of them individually.

kylix

Yes, CAcert is quite nice but I haven't found a browser that uses it.

Vad

You can get a free class 1 certificate from http://www.startssl.com/ and its accepted by all the popular browsers

rm_

StartSSL is sucky because its free cert is single-domain-only.
I do not have 1 IPv4 per every domain I want to use SSL on.

justinb

rm_ said: StartSSL is sucky because its free cert is single-domain-only. I do not have 1 IPv4 per every domain I want to use SSL on.

Then use SNI.

yomero

rm_ said: StartSSL is sucky because its free cert is single-domain-only.

I do not have 1 IPv4 per every domain I want to use SSL on.

That is the problem.

Also, I am too lazy to get 832903829 certs for all my sites

Vad

Paid certificate for multiple domains = $60/2 years, not too bad. The IPv4 issue is separate because you might want to use different IPs for ie6 and other older browsers anyway.

dmmcintyre3

I use my trick to get free RapidSSL certificates.

justinb

dmmcintyre3 said: I use my trick to get free RapidSSL certificates.

My little fraudster!

MrAndroid

I just use NameCheap for SSLs, their darn cheap, and accepted by most OS's and browsers.

eLohkCalb

Hmm... this might be off-topic but what I read today made me think that there's a bigger problem regarding SSL (TLS 1.0 and earlier).

(http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/)

yomero

Vad said: Paid certificate for multiple domains = $60/2 years, not too bad. The IPv4 issue is separate because you might want to use different IPs for ie6 and other older browsers anyway.

And Windows XP also if I remember. And a lot of people uses XP (me at this moment in my netbook)

Infinity

dmmcintyre3 said: I use my trick to get free RapidSSL certificates.

That is a clever trick that I think shouldn't be publicized too much or else.. they'd stop it.

TigersWay

yomero said: And Windows XP also if I remember. And a lot of people uses XP (me at this moment in my netbook)

Caught :-)

tech163

Infinity said: That is a clever trick that I think shouldn't be publicized too much or else.. they'd stop it.

I think I have a good idea what you are talking about. Works with GeoTrust too

diffra

Two other options... one would be to create a self-signed CA cert. Import that into your various browsers, and then you can use that cert to sign as many other certs as you want and since they're signed by the already trusted CA cert, they'll be trusted as well.

Another is to do basically the same thing through the CACert.org system. Free certificates, you just have to install their CA cert in your browsers. Many linux distros come with them preinstalled now though.

yomero

Interesting site diffra

drmike

I was just wondering about the self signed.