| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| Self Signed Cert and your browser |
« View previous topic :: View next topic » |
| Author |
Message
|
| PeterPotkay |
 Posted: Mon Jul 01, 2013 7:20 am Post subject: Self Signed Cert and your browser |
 |
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
I have a self signed cert configured on the Web Management Service on two Datapower appliances in our lab. The certificate is for encrypting the traffic, not uniquely identifying any one appliance so they both use the same self signed certificate.
When I use Internet Explorer 8 or Firefox 5 to hit this interface they both complain about the unknown certifcate and this is expected. You can get past the warning in both but I would like to set it up the right way in my browsers. Using Firefox I grabbed a copy of the public side of the certificate. Tools...Page Info...Security...View Certificate...Details...Export. I saved it to my local drive letting the file type default to X.509 Certificate (PEM). The file is saved without an extension though. The file name is somevalue.ourdomain.com and that's it.
Internet Explorer
I figured I could just import this file into Tools...Internet Options...Content..Certifcates..Trusted Root Certifcates. But that's not enough. I also have to go to Tools...Internet Options...Advanced... and turn off "Warn about certificate address mismatch". Only when I did both do I not get the warning when I first hit the Web Management Service. Why is that? Why is not just adding the certificate to my browser's cert store enough?
Firefox
No combination of what I do manually under Tools...Options...Advanced...Encryption..View Certificates solves the Firefox warning. I added the certificate into the Authorities tab and I added it to the Servers tab (server = *), but it doesn't work. If from the warning page I go to I understand the Risks...Add Exception...Confirm Security Exception (Permanently store this exception) that does work. That process adds the cert into the Authorities Tab, it adds the specific appliance to the Servers tab (server name = the actual appliance name) but apperently it does something else. What?
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
 |
| fjb_saper |
| Posted: Tue Jul 02, 2013 4:26 am Post subject: |
|
|
Grand High Poobah
Joined: 18 Nov 2003
Posts: 20756
Location: LI,NY
|
Hi Peter,
There is a little twist when you use certificates over https.
One of them is that the CN is supposed to match the URL https://something
where the something is the URL the cert is for.
So using the same self signed cert for 2 different URLS will give you grief at least on one of them. For MQ we use the qmgr name in the CN.
The only way this would work without the warning would be if the cert was for a type of load balanced URL and be set up at each of the endpoints. i.e. regardless of which endpoint you hit the URL will match the CN of the cert.
Have fun 
_________________
MQ & Broker admin |
|
| Back to top |
|
|
| PeterPotkay |
| Posted: Mon Jul 08, 2013 5:02 am Post subject: |
|
|
Poobah
Joined: 15 May 2001
Posts: 7722
|
Thanks fjb_saper, that makes sense now. The CN for this certificate is a abstract one that doesn't match the actual URL used to access these Lab appliances, and so the browser is warning me there is a mismatch between the CN of the cert and the URL in the browser address bar.
_________________
Peter Potkay
Keep Calm and MQ On |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
