And I installed it in the browser(FF3). And when I tried to access the site, I got a User Identification request dialog and there, I have selected the certificate. But I got the error below, saying that the certificate is invalid.
Secure Connection Failed
An error occurred during a connection to system-98685.
Peer does not recognize and trust the CA that issued your certificate.
(Error code: ssl_error_unknown_ca_alert)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem.
I have added the
SSLVerifyClient require
directive to the .htaccess file to verify the browser certificate.
It sounds like a self-signed certificate and that WILL cause browsers to raise a warning flag. If you go get a cert from a recognized company, things will be different.
FF(especially 3.x) is more strict in terms of security, it won’t give much details too. However adding an exception should work many a times.
Try with opera which gives you more detailed info of why a site is not secure. Just click the details tab in the warning window you get when you access your site. You are sure to get some useful info. konqueror proves helpful too.
I disagree with my modVPS friends. The fact that you are signing your own certificate means that you are NOT secure but only that you can transfer data in an encrypted mode. If I were at your website, I would want to know that noone else has verified your security so that I should NOT provide credit card information. If you want to disable such warnings in your browser, knock yourself out, but leave the security certifications to the professionals - and accept that browser makers agree and have created their browsers to announce such nonsense to their users.
There are two aspects to using a security certificate. The minor one is encrypting the info being passed so that a man-in-the-middle attacker can’t read the information. Such attacks are relatively rare and while that security is important it is not essential for the 99.99%+ of the time where there is no one attempting such an attack.
The major one is confirming that the web page is on the web site the person filling out the form is trying to send the information to. A security certificate provides proof of that by containing information that must match to both the current web site and the list of trusted certificate authorities in order to confirm that a trusted authority has confirmed that the web site the certificate is installed on are who they claim to be. This part of the certificates use is an essential part of each transaction since it is the way that a buyer can confirm who it is that they are giving their money to. A self signed certificate does not achieve this part of the purpose of having a security certificate and so should pop up an alert to let the person filling out the form know that there is no third party confirmation that the site they are about to enter their credit card details on is who they say they are and not a conman half a world away from where they claim to be.
Of course if you just need the encryption part of the security for purposes of your own then you can use a self signed certificate and make yourself a trusted authority in your own browser.
There are cases where a self-signed SSL proves helpful(only to the individual though, may be this is what is enough). But this cannot be overlooked completely.
May be one wants to connect to his own domain/server and cannot afford a commercial certificate just for this. There is no way you cannot trust yourself after all.
As did you … albeit much clearer that I did with my rant above! Thanks for making it clear!