Browser certificates

I have created the key and certificate files using OpenSSL using the command below:

openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024  -nodes -keyout server.key -out server.crt

Then I have exported these key and cert files into the p12 file to install it as a certificate in the browser using the command below:

openssl pkcs12 -export -out cacert.p12 -in server.crt -inkey server.key

And I installed it in the browser(FF3). And when I tried to access the site, I got a User Identification request dialog and there, I have selected the certificate. But I got the error below, saying that the certificate is invalid.

Secure Connection Failed

An error occurred during a connection to system-98685.

Peer does not recognize and trust the CA that issued your certificate.

(Error code: ssl_error_unknown_ca_alert)

The page you are trying to view can not be shown because the authenticity of the received data could not be verified.

    * Please contact the web site owners to inform them of this problem.

I have added the

SSLVerifyClient require 

directive to the .htaccess file to verify the browser certificate.


It sounds like a self-signed certificate and that WILL cause browsers to raise a warning flag. If you go get a cert from a recognized company, things will be different.



Is there anyway that we can prevent these kind of errors for the certificates generated using OpenSSL?

You can try adding an exception for the domain in your browser to get rid of the error.

I have added exception for the domain. But still no use.

FF(especially 3.x) is more strict in terms of security, it won’t give much details too. However adding an exception should work many a times.

Try with opera which gives you more detailed info of why a site is not secure. Just click the details tab in the warning window you get when you access your site. You are sure to get some useful info. konqueror proves helpful too.

I disagree with my modVPS friends. The fact that you are signing your own certificate means that you are NOT secure but only that you can transfer data in an encrypted mode. If I were at your website, I would want to know that noone else has verified your security so that I should NOT provide credit card information. If you want to disable such warnings in your browser, knock yourself out, but leave the security certifications to the professionals - and accept that browser makers agree and have created their browsers to announce such nonsense to their users.



There are two aspects to using a security certificate. The minor one is encrypting the info being passed so that a man-in-the-middle attacker can’t read the information. Such attacks are relatively rare and while that security is important it is not essential for the 99.99%+ of the time where there is no one attempting such an attack.

The major one is confirming that the web page is on the web site the person filling out the form is trying to send the information to. A security certificate provides proof of that by containing information that must match to both the current web site and the list of trusted certificate authorities in order to confirm that a trusted authority has confirmed that the web site the certificate is installed on are who they claim to be. This part of the certificates use is an essential part of each transaction since it is the way that a buyer can confirm who it is that they are giving their money to. A self signed certificate does not achieve this part of the purpose of having a security certificate and so should pop up an alert to let the person filling out the form know that there is no third party confirmation that the site they are about to enter their credit card details on is who they say they are and not a conman half a world away from where they claim to be.

Of course if you just need the encryption part of the security for purposes of your own then you can use a self signed certificate and make yourself a trusted authority in your own browser.

There are cases where a self-signed SSL proves helpful(only to the individual though, may be this is what is enough). But this cannot be overlooked completely.
May be one wants to connect to his own domain/server and cannot afford a commercial certificate just for this. There is no way you cannot trust yourself after all.

You have basically repeated what I said in my last paragraph.

:lol: As did you … albeit much clearer that I did with my rant above! Thanks for making it clear!



Could anyone tell me the difference between RapidSSL, SharedSSL and OpenSSL?