Security Certificates: Difference between revisions

From help.computerisms.ca
Jump to navigation Jump to search
Line 15: Line 15:
**When you go to an https enable site that does not show the warning, it is because a purchased certificate on the server and a certificate on your computer have been signed by the same CA
**When you go to an https enable site that does not show the warning, it is because a purchased certificate on the server and a certificate on your computer have been signed by the same CA
**When one generates his own Certificates instead of purchasing them, as Computerisms does, they are considered Self-Signed.   
**When one generates his own Certificates instead of purchasing them, as Computerisms does, they are considered Self-Signed.   
**Since Computerisms doesn't pay the hefty fees to have its certificates signed by the same CA used by your computer, your computer will not trust the server's certificate  
**Since Computerisms doesn't pay the fees to have its certificates signed by the same CA used by your computer, your computer will not trust the server's certificate  
***A person with the right knowledge can set up a system that is just as secure at a fraction of a fraction of the cost of purchasing certificates
***Using paid Certificates on a Hosting Server that is hosting many domains is prohibitively expensive
**Since your computer cannot verify the origin of the certificate on the server, it cannot establish a trust relationship with the server
**Since your computer cannot verify the origin of the certificate on the server, it cannot establish a trust relationship with the server
***The warning will inform you that the certificate on the server cannot be trusted because its origins cannot be confirmed
***The warning will inform you that the certificate on the server cannot be trusted because its origins cannot be confirmed

Revision as of 17:52, 2 August 2012

What are Security Certificates and what are they used for?

  • Security Certificates are a method of establishing trust and encrypting communication between different entities on a network
    • An entity can be a person or a computer
    • Certificates are issued to each entity, much like an identification card might be issued to each member of an organization
    • Each Certificate must be signed by a Certificate Authority, often referred to as the CA
      • Every certificate signed by the CA will trust every other certificate that is also signed by the same CA
    • When two certificates trust each other, they can be used to encrypt a connection
      • This is especially important when transmitting a username and password across the internet
  • Each service provided by Computerisms will use Security Certificates to encrypt network connections
  • Sites you visit that have https:// in the address bar are secured by a certificate

So why do I get a Security Certificate Warning?

  • Certificate warnings can be caused by several factors, but the most important thing to know is that just because you see a warning does not mean the site is not secured
  • One possible reason for the Certificate Warning is that your computer does not know the origin of the certificate on the server
    • When you go to an https enable site that does not show the warning, it is because a purchased certificate on the server and a certificate on your computer have been signed by the same CA
    • When one generates his own Certificates instead of purchasing them, as Computerisms does, they are considered Self-Signed.
    • Since Computerisms doesn't pay the fees to have its certificates signed by the same CA used by your computer, your computer will not trust the server's certificate
      • A person with the right knowledge can set up a system that is just as secure at a fraction of a fraction of the cost of purchasing certificates
      • Using paid Certificates on a Hosting Server that is hosting many domains is prohibitively expensive
    • Since your computer cannot verify the origin of the certificate on the server, it cannot establish a trust relationship with the server
      • The warning will inform you that the certificate on the server cannot be trusted because its origins cannot be confirmed
      • Since you know the origins of the certificate (It comes from Computerisms), you can override your computer's paranoia
    • By temporarily overriding the warning, you instruct your computer to trust the certificate on the server
    • Once the trust is established, then the certificates can be used to encrypt the communication so your password is not transmitted in clear text
  • Another reason a security certificate warning might pop up is a mismatched address
    • Computerisms Webmail is one site that answers to many names, such as https://webmail.domain.tld
    • If you arrive at the site by a name that is different than the one on the certificate, your computer will warn you about it.
  • Remember, regardless of the warning, when you instruct your computer to trust the certificate, encryption will still happen so it is safe to send your passwords over the internet

Okay, Now I know why, but what do I do about it?

  • In some cases, the problem can be solved on the server.
    • If for example you wish to run an online store, you will need to purchase your own certificate
    • In the case of Computerisms Services, purchasing certificates is very cost prohibitive
      • As a hosting provider, Computerisms is not the only company facing this problem
      • it is better to have a certificate and a warning than it is to have no certificate at all
  • While Security Certificates are an open standard, implementation varies quite a bit depending on the browser and platform it runs on


  • Certificates can be purchased for the server so the warning doesn't appear in your browser, but they are prohibitively expensive for our hosting environment
    • Certificates in general are very very expensive in proportion to the effort required to make them.
    • Computerisms can make certificates that will encrypt a connection every bit as good as a paid certificate for a small fraction of the cost
      • Certificates generated by Computerisms will not be automatically trusted by your computer, and therefor will always show you the certificate warning
  • In the case of Computerisms and its customers, we can manually establish our trust, which in turn allows encryption of our passwords
    • Despite the warning, the encryption is still taking place on our system
      • Said another way: Security certificates are still securing your transmission, even though the warning might make you think otherwise.
  • Computerisms Certificates can be installed on your machine in such a way that your computer will trust the Computerisms certficates
    • If you do not want to see the warning at every page, then please follow these instructions

Internet Explorer - Importing Certificate Authority

  • The easiest way to install a certificate is using Internet Explorer
  • Open your start menu and choose "All Programs"
  • In the list, right click Internet Explorer
  • In the menu, choose "Run as Administrator"
  • If you are presented with a window confirming the program should be allowed to make changes to your computer, select Yes
  • Navigate to https://rc.domain.tld or any other encrypted Computerisms service
  • Select "Continue to this website (not recommended)
    • For the record, it is recommended...
  • In the next window, you will notice the address bar goes red.
  • Click in the address bar where the X is displayed as a certificate warning
  • In the small window that opens up, click the link at the bottom called "View certificates"
  • In the next window, find the tab called "Certification Path" and click it
  • Click on the line that says Computerisms Certificate Authority
  • Then click the "View Certificate" Buttonhelp.
  • In the next window, click the button called "Install Certificate"
    • Note: if you did not run Internet Explorer as Administrator, this button will not show up
  • The next window will be the start of the Certificate Import Wizard
  • Click Next
  • Move the Radio button to be beside "Place all Certificates in the following store"
  • Click the browse button to open the navigation window
  • In the navigation window, select "Trusted Root Certification Authorities"
  • Click OK, then click Next
  • Click the Finish button
  • Another warning window will pop up, click Yes in the bottom right corner
  • A window will pop up confirming the import was successful, click OK on that window
  • Click OK on the Computerisms Certificate Authority Certificate Window
  • Click OK on the first Certificate Window