Security Certificates: Difference between revisions

From help.computerisms.ca
Jump to navigation Jump to search
(Created page with "*Security Certificates are a method of establishing trust between different entities on a network **An entity can be a person or a machine **Certificates can, in addition to c...")
 
 
(150 intermediate revisions by 6 users not shown)
Line 1: Line 1:
*Security Certificates are a method of establishing trust between different entities on a network
==FAQ==
**An entity can be a person or a machine
*Where can I download a copy of the Certificate Authority?
**Certificates can, in addition to creating trust relationships, also be used to encrypt communications
**right-click <b>[[Media:Computerisms.Root.Certificate.pem|This Link]]</b> and choose "Save As" or "Save Target As", or "Save Link As"
**Or use <b>[[Media:Computerisms.Root.Certificate.p12|This Link]]</b> if your device or computer needs a P12 Certificate
**Or use <b>[[Media:Computerisms.Root.Certificate.crt|This Link]]</b> if your device or computer needs a DER encoded Certificate (Android)
*I told firefox to make an exception for the webmail certificate, but every once in a while it pops up again...
**Ya, that is expected behaviour.  The best solution is to install the Certificate Authority as described in the videos below.
 
==VIDEO: Instructions for installing the Certificate Authority (AKA, getting rid of those warnings)==
{| style="width: 100%; border-spacing:15px;border-collapse:separate;border: 1px solid rgb(191, 238, 255); background-color: rgb(255, 235, 205);text-align:center;font-size:1.5em;"
|- valign="center"
||[[file:Microsoft_windows.png|link=https://help.computerisms.ca/images/e/e1/Windows_CA_Install_Revised.mp4|Windows|75px]]
||[[file:Mac_icon.png|link=http://help.computerisms.ca/images/6/6f/InstallCA-OSX.mp4|Mac OS X|75px]]
||[[file:thunderbird_logo.png|link=https://help.computerisms.ca/images/d/d3/Thunderbird_CA_Install.mp4|Thunderbird|75px]]
|-
|| [[Media:Windows_CA_Install_Revised.mp4|Windows]]
|| [[Media:InstallCA-OSX.mp4|Mac OS X]]
|| [[Media:Thunderbird_CA_Install.mp4|Thunderbird]]
|}
 
 
 
==Importing Certificate Authority==
*[[How to import Certificate Authority in Windows 7]]
*[[How to import Certificate Authority in Windows 10]]
*[[How to import Certificate Authority on iPhone]]
*[[How to import Certificate Authority on MAC]]
*[[How to import Certificate Authority on Thunderbird]]
*[[How to import Certificate Authority on Outlook]]
 
==What are Security Certificates and what are they used for?==
*All sites you visit that have https:// in the address bar are encrypted using a certificate
*Security Certificates are a method of establishing trust and encrypting communication between different entities on a network
**An entity can be a person or a computer
**Certificates are issued to each entity, much like an identification card might be issued to each member of an organization
**Each Certificate must be signed by a Certificate Authority, often referred to as the CA
***Every certificate signed by the CA will have a trust relationship with every other certificate that is also signed by the same CA
**When two certificates trust each other, they can be used to encrypt a connection
***This is especially important when transmitting a username and password across the internet
***This is especially important when transmitting a username and password across the internet
*Certificate warnings indicates that your computer does not know the origin of the certificate on the server
**So by installing Computerisms Certificate Authority on your computer, you are instructing your computer to trust Computerisms Services, and your computer will not longer display a warning that you are connecting to an untrusted service.
*Every password protected service provided by Computerisms will use Security Certificates to encrypt network connections
 
==So why do I get a Security Certificate Warning?==
*Certificate warnings can be caused by several factors, but the most important thing to know is that just because you see a warning does not mean the connection is not encrypted
*One possible reason for the Certificate Warning is that your computer does not know the origin of the certificate on the server
**When you go to an https enable site that does not show the warning, it is because a purchased certificate on the server and a certificate on your computer have been signed by the same CA
**When one generates his own Certificates instead of purchasing them, as Computerisms does, they are considered Self-Signed. 
**Since Computerisms uses self-signed certificates and doesn't pay the fees to have its certificates signed by the same CA used by your computer, your computer will not trust the server's certificate
***A person with the right knowledge can set up a system that is just as secure at a fraction of a fraction (yes, a fraction of a fraction) of the cost of purchasing certificates
***Using paid Certificates on a Hosting Server that is hosting many domains is prohibitively expensive
**Since your computer cannot verify the origin of the certificate on the server, it cannot establish a trust relationship with the server
**Since your computer cannot verify the origin of the certificate on the server, it cannot establish a trust relationship with the server
***The warning will inform you that the certificate on the server cannot be trusted because its origins cannot be confirmed
***Since you know the origins of the certificate (It comes from Computerisms), you can override your computer's paranoia
**By temporarily overriding the warning, you instruct your computer to trust the certificate on the server
**By temporarily overriding the warning, you instruct your computer to trust the certificate on the server
**Once the trust is established, then the certificates can be used to encrypt the communication so your password is not transmitted in clear text
**Once the trust is established, then the certificates can be used to encrypt the communication so your password is not transmitted in clear text
*Certificates can be purchased for the server so the warning doesn't appear in your browser, but they are prohibitively expensive for our hosting environment
**Installing the Computerisms CA on your computer will make it so your computer trusts the server's certificate without throwing a warning
**Certificates in general are very very expensive in proportion to the effort required to make them.
*Another reason a security certificate warning might pop up is a mismatched address
**In order to provide a comparably priced certificate system, Computerisms would have to charge over $1000/hour
**Computerisms Webmail is one site that answers to many names, such as [[Domain Substitution|https://webmail.domain.tld]]
***What Computerisms can't do is get Microsoft to include our certificates in their system so end users think we are trusted.
**If you arrive at the site by a name that is different than the one on the certificate, your computer will warn you that the address in your address bar is not the same as the address on the certificate.
**Certificates are a wonderful way for that industry to make an unjustifiably large pile of money.
***This might happen if you are using an IP address to connect, or are otherwise subverting normal operations
*In the case of Computerisms and its customers, we can manually establish our trust, which in turn allows encryption of our passwords
**Computerisms endeavours to make sure all of its customer's names are on the certificate, so this problem should not be seen when connecting to Computerisms Services
**Despite the warning, the encryption is still taking place on our system
***If you do see this problem, it is the result of a typo or other accidental misconfiguration.  Please [mailto:bob@computerisms.ca notify us] if you see this
***Said another way: Security certificates are still securing your transmission, even though the warning might make you think otherwise.
*Remember, regardless of the warning, when you instruct your computer to trust the certificate, encryption will still happen.  So long as you know the certificate you will know who you are connecting too, even if your computer doesn't, so you will be sending your passwords over the internet encrypted in such a way that other people can't see it.  You should not send a password on an unencrypted connection.
 


{| style="width:100%" border="1" cellspacing="0"
==Okay, Now I know why, but what do I do about it?==
|-
*If one extra click every time you use a Computerisms Service does not seem unreasonable, then one viable option is to do nothing
|style="width: 50%"|
*In some cases, the problem can be solved on the server. 
*Go to [[Domain Substitution|https://cal.domain.tld]] and accept the Security Certificate warning
**Purchased certificates solve the problem, but are too cost prohibitive to provide globally to all customers
*Login with your email address as your User Name and your email password for Password and click Go
***Since we can't provide purchased certificates, it is better to have a self-signed certificate and provide education regarding the warning than it is to have no certificate at all.
|[[File:Help.davical.login.png|center|500px]]
****Without the certificate, we cannot encrypt the transmission of your password
|-
**you can purchase a certificate and [mailto:bob@computerisms.ca Computerisms] will install it for you
|}
**Computerisms can assist with the acquisition of a certificate, please [mailto:bob@computerisms.ca contact us] for information
*You can import the CA into your system so as to put a certificate on your machine that will recognize and trust the certificate on the server

Latest revision as of 13:47, 7 October 2020

FAQ

  • Where can I download a copy of the Certificate Authority?
    • right-click This Link and choose "Save As" or "Save Target As", or "Save Link As"
    • Or use This Link if your device or computer needs a P12 Certificate
    • Or use This Link if your device or computer needs a DER encoded Certificate (Android)
  • I told firefox to make an exception for the webmail certificate, but every once in a while it pops up again...
    • Ya, that is expected behaviour. The best solution is to install the Certificate Authority as described in the videos below.

VIDEO: Instructions for installing the Certificate Authority (AKA, getting rid of those warnings)

Windows Mac OS X Thunderbird
Windows Mac OS X Thunderbird


Importing Certificate Authority

What are Security Certificates and what are they used for?

  • All sites you visit that have https:// in the address bar are encrypted using a certificate
  • Security Certificates are a method of establishing trust and encrypting communication between different entities on a network
    • An entity can be a person or a computer
    • Certificates are issued to each entity, much like an identification card might be issued to each member of an organization
    • Each Certificate must be signed by a Certificate Authority, often referred to as the CA
      • Every certificate signed by the CA will have a trust relationship with every other certificate that is also signed by the same CA
    • When two certificates trust each other, they can be used to encrypt a connection
      • This is especially important when transmitting a username and password across the internet
    • So by installing Computerisms Certificate Authority on your computer, you are instructing your computer to trust Computerisms Services, and your computer will not longer display a warning that you are connecting to an untrusted service.
  • Every password protected service provided by Computerisms will use Security Certificates to encrypt network connections

So why do I get a Security Certificate Warning?

  • Certificate warnings can be caused by several factors, but the most important thing to know is that just because you see a warning does not mean the connection is not encrypted
  • One possible reason for the Certificate Warning is that your computer does not know the origin of the certificate on the server
    • When you go to an https enable site that does not show the warning, it is because a purchased certificate on the server and a certificate on your computer have been signed by the same CA
    • When one generates his own Certificates instead of purchasing them, as Computerisms does, they are considered Self-Signed.
    • Since Computerisms uses self-signed certificates and doesn't pay the fees to have its certificates signed by the same CA used by your computer, your computer will not trust the server's certificate
      • A person with the right knowledge can set up a system that is just as secure at a fraction of a fraction (yes, a fraction of a fraction) of the cost of purchasing certificates
      • Using paid Certificates on a Hosting Server that is hosting many domains is prohibitively expensive
    • Since your computer cannot verify the origin of the certificate on the server, it cannot establish a trust relationship with the server
      • The warning will inform you that the certificate on the server cannot be trusted because its origins cannot be confirmed
      • Since you know the origins of the certificate (It comes from Computerisms), you can override your computer's paranoia
    • By temporarily overriding the warning, you instruct your computer to trust the certificate on the server
    • Once the trust is established, then the certificates can be used to encrypt the communication so your password is not transmitted in clear text
    • Installing the Computerisms CA on your computer will make it so your computer trusts the server's certificate without throwing a warning
  • Another reason a security certificate warning might pop up is a mismatched address
    • Computerisms Webmail is one site that answers to many names, such as https://webmail.domain.tld
    • If you arrive at the site by a name that is different than the one on the certificate, your computer will warn you that the address in your address bar is not the same as the address on the certificate.
      • This might happen if you are using an IP address to connect, or are otherwise subverting normal operations
    • Computerisms endeavours to make sure all of its customer's names are on the certificate, so this problem should not be seen when connecting to Computerisms Services
      • If you do see this problem, it is the result of a typo or other accidental misconfiguration. Please notify us if you see this
  • Remember, regardless of the warning, when you instruct your computer to trust the certificate, encryption will still happen. So long as you know the certificate you will know who you are connecting too, even if your computer doesn't, so you will be sending your passwords over the internet encrypted in such a way that other people can't see it. You should not send a password on an unencrypted connection.

Okay, Now I know why, but what do I do about it?

  • If one extra click every time you use a Computerisms Service does not seem unreasonable, then one viable option is to do nothing
  • In some cases, the problem can be solved on the server.
    • Purchased certificates solve the problem, but are too cost prohibitive to provide globally to all customers
      • Since we can't provide purchased certificates, it is better to have a self-signed certificate and provide education regarding the warning than it is to have no certificate at all.
        • Without the certificate, we cannot encrypt the transmission of your password
    • you can purchase a certificate and Computerisms will install it for you
    • Computerisms can assist with the acquisition of a certificate, please contact us for information
  • You can import the CA into your system so as to put a certificate on your machine that will recognize and trust the certificate on the server