Active Topics
-
[Announce] genwall a simple iptables firewall (90)
to Applications by paoletto - 1 day, 7 hrs ago -
N9 as WiFi repeater/extender? (1)
to Nokia N9 / N950 by paoletto - 1 day, 8 hrs ago -
Sailfish OS flashing files (89)
to SailfishOS by monkeyisland - 2 days, 8 hrs ago - more...
|
2010-04-21
, 01:39
|
|
Posts: 336 |
Thanked: 610 times |
Joined on Apr 2008
@ France
|
#2
|
First of all, you shouldn't be trusting certificates on a "per-certificate" basis. Trust the CA, and be done with it.
Secondly, a certificate shouldn't have the same serial number as another one from the same CA. This goes against RFC 2459, and you should contact the website owner to make sure they look into this. The only way for this to happen is by having faulty generation services (such as a broken CA), or a broken self-signed algorithm.
Lastly, there is nothing we can do: just go through all the certificates, and delete the right one. There is no magic trick.
Secondly, a certificate shouldn't have the same serial number as another one from the same CA. This goes against RFC 2459, and you should contact the website owner to make sure they look into this. The only way for this to happen is by having faulty generation services (such as a broken CA), or a broken self-signed algorithm.
Lastly, there is nothing we can do: just go through all the certificates, and delete the right one. There is no magic trick.
| The Following User Says Thank You to CrashandDie For This Useful Post: | ||
|
|
2010-04-21
, 07:12
|
|
Posts: 49 |
Thanked: 15 times |
Joined on Mar 2010
@ Scotland
|
#3
|
Originally Posted by CrashandDie
Good advice.
First of all, you shouldn't be trusting certificates on a "per-certificate" basis. Trust the CA, and be done with it.
Secondly, a certificate shouldn't have the same serial number as another one from the same CA. This goes against RFC 2459, and you should contact the website owner to make sure they look into this. The only way for this to happen is by having faulty generation services (such as a broken CA), or a broken self-signed algorithm.
Lastly, there is nothing we can do: just go through all the certificates, and delete the right one. There is no magic trick.
However, the site/service is a trusted SSL/VPN server which I generated the certificate, so I trust it. On the desktop browsers I add the domain as a trusted site. You rais a good point about trusting the issuer rather then the certificate itself.
I used the application to generates a 'valid' certificate which defulat to 1 year, but there is no option for the serial number which is set to '00' I'll have a look today, as it does allow certificate imports. As you say - it looks like a broken self-signed function
I tried exporting the certificate (PER) from my desktop and it installed on my N900 fine, and it appears as a "Server" but this made no difference.
I guess today I will be getting lots of home users calling and complaining about this problem - at least they can resolve this on desktop IE and Firefox.
|
|
2010-04-21
, 07:29
|
|
Posts: 336 |
Thanked: 610 times |
Joined on Apr 2008
@ France
|
#4
|
HammY,
What application did you use to generate the certificate? You might want to purchase an SSL certificate -- they're seriously cheap these days.
Also, if this is inside a company, and you control the distribution of the CA certs (you can push them through Windows GPO), you may want to deploy your own CA, and push that to all your clients. Windows Server 2003 Enterprise comes with Microsoft Certificate Authority.
It's a simple CA, but it does the job for most things. Based on your security needs, you may not need to have it signed by anyone else (= no fees).
You may want to expose your requirements a bit more, I can advise
Source: I'm a security expert, specialised in PKI.
What application did you use to generate the certificate? You might want to purchase an SSL certificate -- they're seriously cheap these days.
Also, if this is inside a company, and you control the distribution of the CA certs (you can push them through Windows GPO), you may want to deploy your own CA, and push that to all your clients. Windows Server 2003 Enterprise comes with Microsoft Certificate Authority.
It's a simple CA, but it does the job for most things. Based on your security needs, you may not need to have it signed by anyone else (= no fees).
You may want to expose your requirements a bit more, I can advise
Source: I'm a security expert, specialised in PKI.
|
|
2010-04-21
, 12:49
|
|
Posts: 49 |
Thanked: 15 times |
Joined on Mar 2010
@ Scotland
|
#5
|
Originally Posted by CrashandDie
Thanks again.
HammY,
What application did you use to generate the certificate? You might want to purchase an SSL certificate -- they're seriously cheap these days.
Also, if this is inside a company, and you control the distribution of the CA certs (you can push them through Windows GPO), you may want to deploy your own CA, and push that to all your clients. Windows Server 2003 Enterprise comes with Microsoft Certificate Authority.
It's a simple CA, but it does the job for most things. Based on your security needs, you may not need to have it signed by anyone else (= no fees).
You may want to expose your requirements a bit more, I can advise
Source: I'm a security expert, specialised in PKI.
The certificate was generated by a Netilla Security Platform running about 3 versions behind. It is on the Internet and provides various secure connections for suppliers and staff to a few selected servers/service.
Given that is is used by external suppliers, I should look at getting a recognised 3rd party signed certificate.
I'll PM you the link so you can have a look.
|
|
2010-10-06
, 12:06
|
|
Posts: 14 |
Thanked: 1 time |
Joined on Sep 2009
|
#6
|
I have a similar problem. I have a self signed certificate that I issue to use on my own server. There only seems to be CA's in the certificate browser. Where are the non-CA certificates stored so I can delete the old one and add the new certificate. Desktop firefox does it . Any clues please?
|
|
2010-10-06
, 13:02
|
|
Posts: 3,617 |
Thanked: 2,412 times |
Joined on Nov 2009
@ Cambridge, UK
|
#7
|
Launch the browser and enter chrome://pippki/content/certManager.xul as the URL. This'll launch the certificate manager, and the certificate should be in there somewhere (either the CA or the Server tab). The UI isn't touch-friendly, so you'll need to poke around with the stylus.
|
|
2010-10-08
, 09:58
|
|
Posts: 14 |
Thanked: 1 time |
Joined on Sep 2009
|
#8
|
it acceses the security certificates like a treat thank you.However when I access my site get the new certificate and add the exception. All seems to work. I can see the new certificate . Now I get a MicroB error and unable to access the site . I will get the exact message and add it to the post .
Unable to connect
MicroB can't establish a connection to the server at xxx
* The site could be temporarily unavailable or too busy. Try again in a few moments.
* If you are unable to load any pages, check your computer's network connection.
* If your computer or network is protected by a firewall or proxy, make sure that MicroB is permitted to access the Web.
any clues please ?
Last edited by CEN; 2010-10-08 at 10:04.
Unable to connect
MicroB can't establish a connection to the server at xxx
* The site could be temporarily unavailable or too busy. Try again in a few moments.
* If you are unable to load any pages, check your computer's network connection.
* If your computer or network is protected by a firewall or proxy, make sure that MicroB is permitted to access the Web.
any clues please ?
Last edited by CEN; 2010-10-08 at 10:04.
|
|
2010-10-08
, 11:07
|
|
Posts: 3,617 |
Thanked: 2,412 times |
Joined on Nov 2009
@ Cambridge, UK
|
#9
|
That's not a certificate issue anyway - looks like a generic timeout. Can you access the site okay from other PCs?
|
|
2010-10-09
, 14:28
|
|
Posts: 14 |
Thanked: 1 time |
Joined on Sep 2009
|
#10
|
yes works from all other browsers and pc's. I recal a post that mentioned self signed certificate exceptions having trouble after the first use but have not been able to find the post again.
I got this error after trying to connect again.
XML Parsing Error: unexpected parser state Location: file:///usr/lib/microb-engine/chrome/toolkit/content/global/netError.xhtml Line Number 288, Column 58: <div id="ed_netInterrupt">&netInterrupt.longDesc;</div> ---------------------------------------------------------^
Last edited by CEN; 2010-10-09 at 14:42.
I got this error after trying to connect again.
XML Parsing Error: unexpected parser state Location: file:///usr/lib/microb-engine/chrome/toolkit/content/global/netError.xhtml Line Number 288, Column 58: <div id="ed_netInterrupt">&netInterrupt.longDesc;</div> ---------------------------------------------------------^
Last edited by CEN; 2010-10-09 at 14:42.
I connect to a SSL site which uses a self-signed certificate which has just expired. and a new self-signed certificate has been re-created. My N900 was previously connecting fine - I suspect I installed the certificate or added some trust/exception, but I can't recall.
Now when I connect, the inbuilt browser & Firefox both complain about an invalid certificate saying that the certificate contains the same serial number as another certificate issued by the CA. (true)
I have scanned through all the certificates in "Certificate Manager" hoping to find and delete the old certificate, but I can't find it - or don't recognise it.
I had the same problem with the SSL site on my desktop with Firefox, but I found and deleted the certificate and this solved the problem.
Anyone got any suggestions for fixing same problem on N900 ?
Last edited by HammY; 2010-04-21 at 00:30.