Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Stop prompting for WebAccess Certificate

Status
Not open for further replies.
bytehd

bytehd

IS-IT--Management
Apr 26, 2002
575
US
I know im going to solve this one.
But if you already have....

I was trying to ger Apache 2 on NW65/GW65 to use the
proper NDS PKI Certificate. The GW WebAccess (SP4) still prompts you to accept the cert cause Windoze cant verify the cert up the chain to a root Auth.

Ive followed the Novell TIDs (create PKI Key MAterial object) then use that object's name in HTTP.CONF.

I Managed to shut down my whole Web access...oops.

Well, reran Web Access Setup and it was fixed.

Any Tek-tips?


George Walkey
Senior Geek in charge
 
Sort by date Sort by votes
What certificate provider to you use? If it's not a public one, you can usually import the root CA into your browser and not be prompted again. Until you do, the browser will prompt you to accept the certificate. This isn't a Windows issue.
 
Upvote 0 Downvote
Yes, it is.
Netware is the root provider.
Seems like I need to export the root CER file and make it available to the users?


George Walkey
Senior Geek in charge
 
Upvote 0 Downvote
That's exactly correct. If the root certificate is imported into the browser, the browser will treat anything signed by that cert as if it was Verisign, Geotrust, etc.- fully trusted.
 
Upvote 0 Downvote
I know this part.
Its the Netware part im trying to figure out.
Getting Apache2 to accept the Root cert for SSL.

Should I post httpd.conf?


George Walkey
Senior Geek in charge
 
Upvote 0 Downvote
Sorry, I misunderstood. As I recall, Apache on NetWare works like on any other platform. The "SSLCertificateFile" and "SSLCertificateKeyFile" should work normally.
 
Upvote 0 Downvote
Ok,
Ill check it out tomorrow.
I DONT think my NDS PKI Object names match the ones in HTTP.CONF.

That would explain a few things....



George Walkey
Senior Geek in charge
 
Upvote 0 Downvote
I love this topic because MS makes it a hassle to import the cert into windows.


You shouldn't have to screw with your web configuration unless you do want to change your certificate or if you want to create an external certificate for public use.

Regardless of what you use, you just have to make sure you have accepted your "Organizational CA" as a trusted Root authority. When I say this, I mean in Windows in your browser. Once you do that, your certificates should be valid and you shouldn't get that warning (unless your certificate name and the URL are mismatched).

In IE: Just load the webpage, get the warning, view the cert, then go import the Org CA.. Don't import the cert itself.. you need to import the Org CA. OTherwise you'll continue to get that error. I'm not sure how to do it in Firefox- it appears to do it on a per certificate basis, not org ca.





Marvin Huffaker, MCNE
 
Upvote 0 Downvote
If you import the root CA (the "organizational CA") in Firefox, you'll get no more warnings for any certificate signed by that CA. Same for IE and other browsers. Nothing to do with Windows, and it needs to be done separately for each browser that you use.

You can also simply accept the site certificate in the browser, which will almost accomplish the same thing. The difference is that if you have different sites with different certs under the same CA, you'll have to accept each one separately. I prefer the CA approach as you can just tell employees to accept the company's CA.
 
Upvote 0 Downvote
Im on site now guys.
Im going to check out the NDS objects.

Marv, here is the kicker:
"unless your certificate name and the URL are mismatched"

I have the NW65/GW65 server behind a Cisco pix.
The NW65/GW65 server has a Private address only.
the PIX is doing static NAT to a Public so the GW agents
are both private and Webaccess is public.

Maybe thats why the Cert doesnt work.
I think I created the cert at Install time.
Perhaps the IP address on the Novell NIC was a public address.
Not sure.






George Walkey
Senior Geek in charge
 
Upvote 0 Downvote
Could be. If you use the IP address to get to Webaccess, you're likely to have that problem from ether inside or outside the network, at least. The way I got around it some time ago (not for Webaccess, but Apache on Netware) was to create a new certificate based on DNS name, then the IP address doesn't get in the way. Look at the existing SSLCertificateDNS object for teh server for the template. Basically just change the name to "cn=webaccess.mycompany.com,ou=..." as appropriate. In this case, I had to change the Apache config to point to the new certificate object, but it worked just fine.

Remember, 3 things have to match for the certificate to be transparently accepted:
1. CA must be trusted by the browser (import your root CA).
2. Name on URL bar must match the CN in the certificate.
3. Certificate dates must be valid.
 
Upvote 0 Downvote
Well it works now.
For some reason, I just re-imported the cert CA into the IE trusted list and its fine now.

Go figure.

Didnt have to change Apache at all.

George Walkey
Senior Geek in charge
 
Upvote 0 Downvote
When I setup a certificate for public use, I always use DNS name and set that up in Apache. You don't want to use the default ones in this case because it can expose your internal private information.

I try to match the DNS name internally when possible, but if you bounce betweeb IP address to server name to full dns name, you're going to have that error due to mismatch url.

lgarner, how do you import the ORG CA into firefox? I don't see a way to do it.

Marvin Huffaker, MCNE
 
Upvote 0 Downvote
As I recall, you can export the CA cert to a text file, and import that. I just put it on an internal web site with instructions. It's been a while; the last cert I made was good for 10 years, so it's not something I've done recently. I don't remember the steps to export it from Consoleone or NWadmin.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RichardLearner
  • Locked
  • Question
Commercial cleaning service Fort Worth TX
Replies
0
Views
6K
RichardLearner
RichardLearner
JGKingston
  • Locked
  • Question
Guidelines for sizing a new dedicated Qmail relay server
Replies
0
Views
72
JGKingston
JGKingston
annacady
  • Locked
  • Question
Exit GW does not stop the process
Replies
12
Views
111
goombawaho
goombawaho
9iron
  • Locked
  • Question
Webaccess stopped working
Replies
6
Views
107
terry712
terry712
ghostsskull
  • Locked
  • Question
Mail send/reply/forward will truncate the sub domain part
Replies
6
Views
118
marvhuffaker
marvhuffaker

Part and Inventory Search

Sponsor

Back
Top