Solved

Certificates

Posted on 2013-02-06
5
323 Views
Last Modified: 2013-02-10
I feel terribly ignorant on this subject.  Everywhere I've looked seems to be a collection of highly technical stuff and not much in the way of practical things.  I don't mind reading the technical stuff but if it only tells me how things are supposed to work, etc. etc. and not how to fix my problems then it's not all that much use.  
There must be a pony in there somewhere!!

Some things I've found are just way too technically complex for an average user.  So, while I may be a bit of an expert on some things and could probably wade through it all, I just cannot imagine that normal folks have to deal with intricate instructions and command line instructions, etc. etc.  There must be a better way  - and that's what I'm trying to find.

Cases in point:

I go to "webmail.drroofinc.com" which is hosted by linknowmedia.
I get a Certificate Error.
I told the mail service provider about it and they said that I have to "download a certificate into my browser" .. I'm not sure what that means or how to do it.

I have some newer "Cisco" RV042 routers (V03).  If I set up the management interface for https then I get the same thing.  I'm pretty sure that there's nobody I can go to to "solve" this.  I figure I have to solve it myself.

Now, sure, I can just bypass the warning but the purpose of this question is to learn how to do something better than that.
0
Comment
Question by:Fred Marshall
5 Comments
 
LVL 10

Expert Comment

by:tmoore1962
ID: 38860802
when you get the cert error you probably have the choice to view the certificate or continue on.  choose to view the cert and then you should get the option to install.  Install the cert. let IE choose the location as this works most of the time. You should get a successful install response, once you do this you won't get the certificate error anymore.
0
 
LVL 7

Assisted Solution

by:multimac
multimac earned 250 total points
ID: 38860829
I am not sure how to help you?

The reason you got a warning for the certificate @  "webmail.drroofinc.com" is easy: Its self-signed, and not signed by some "trustful" certificate authority that your computer or your browser have already known before or was imported by the operating system or browser vendor. Same thing goes to your CISCO-Router.

There are now two possibilities:
a.) You accept the "not trustful" certificate. Most browsers have some 'Accept Always'-button for this.
b.) You go ahead and buy some "real" certificate e.g. for your CISCO-Router. But thats just  wasted money as long as you are the only person to connect.

Another thing to understand is the following: The kind of a SSL certification does not decide the privacy or the encryption of the connection. Its just more a hint that "Company $CA checked for $$$$ money that the domain or the host you connect is under property of company $BUYER".
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 38861147
OK.  I played around a bit with IE8 and Chrome using a new RV042.
First, I had to figure out on my own that if one clicks on the "warning icon" then there MAY be some actions one can take:
e.g. on IE if one clicks on "Continue to this website"
THEN in the address bar there is a short section that says: "Certificate Error".
IF one clicks on that secton of the address bar, a popup appears that says:
"Certificate Error" and gives an option: View Certificate.
Then, depending on the OS:

In Windows XP it gives you the option to Install Certificate and you can either allow automatic selection of the "store" or you can manually select a store from a provided list.
In one case it says: "To enable trust, install this certificate in the Trusted Root Certification Authorities store.
So, I did that and there is no difference in how the browser behaves.  It's as if nothing had been done.

In Windows 7 it doesn't provide that option at all that I can tell.

Chrome doesn't appear to provide a similar option that I can tell.

All that said, while *I* can ignore warnings with perhaps reasonable judgement, that's not the case for my clients.  I don't want to tell them to ignore a warning from an outside website for the obvious reasons.  So, I need the warning to go away using some up-front judgement and preparation.

If I didn't say it, I have not been able to get rid of the warning on either the RV042 or the webmail site on any of the three computers I have here in front of me.  Except for the XP/Win7 difference and the IE/Chrome differences - they all behave the same.
0
 
LVL 20

Accepted Solution

by:
Jakob Digranes earned 250 total points
ID: 38863551
Just to add to @multimacs comment:
-EDITED --- Sorry; @multimac did explain this -- leaving it in the comment, as the rest depend n it: - Certificates that are self-signed and certificates signed by an untrusted root are quite different things. I guess we have the same opinion on the error.

On the firewall the certificate is indeed self-signed - and as mentioned earlier - don't bother with that.

But for the webmail, the error might as well be that the certificate is from an untrusted root. This could be untrusted because it's from an internal PKI solution, or it might be that the Trusted Root Certificate, or certificate chain, isn't in your PCs Trusted Root Authority store. I've come across this several times in different Lync/Exchange installations, partiularly Comodo/Entrust/UserTrust certificates, which indeed are a trusted 3rd party is missing. To veriify this - open certificate that the website is secured with, go to details and look at certificate chain. This will tell you if the certificate is self-signed, from an internal untrusted root CA or from a 3rd party public CA - that your windows installation doesn't trust. As they say - you can downlod root certificate to your trusted authorities store and then be able to trust the certificate.

But - more importantly - if this is your webmail, make sure that is secured with a valid 3rd party certificate from a trusted CA, like thawte, DigiCert or OpenSSL.
Saying that proper trusted certificates from public CAs are only there for the CAs to get the cash from you is absolutely bs - and wrong.
google PHISHING and that will give you quite a few hints. Without a valid certificate, an attacker can easily set up fake webmail page, redirect all requeste to that page, have your users log in to that page - thus getting usernames and passwords, which he easily could use later on.
With a valid certificate - you know that the webpage is secured by someone with access to that URL, and computer

Certificates and securing login portals is essential (!)
0
 
LVL 25

Author Closing Comment

by:Fred Marshall
ID: 38873738
I never did figure out how to get the browser to "accept" the certificates once and for all....
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now