Chris Searle

I delegate my domains OpenID logins to myopenid.com - but I was having issues getting SSL certificate based login to work in safari.

There is one extra step that I seem to need to get this to work properly ...

Technorati Tags: myopenid.com openid ssl

Instead of using a self-signed certificate with glassfish (see Creating new SSL keys with keytool for glassfish) - we want to use one that is signed by a certificate authority.

Based on http://blogs.sun.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2

Technorati Tags: glassfish keystore keytool openssl ssl

I've been using self-signed certificates for a while - but - that means getting the users to approve them each time they change. Instead - lets generate a Certificate Authority (CA) certificate with a reasonably long life - get them to install that and then new certificates signed with that will be valid for them.

Technorati Tags: CA.pl debian openssl ssl

Here you can download the Certificate Authority for the SSL certificates used for both mail and web for chrissearle.org and chrissearle.net. The certificate authority is a special certificate used to sign and therefore validate all other certificates I use. See the pages listed below for installation instructions

Opera For opera - I have no idea - it refuses to import - you'll just have to manually approve the certificates themselves for now. The .pem file is just refused (see Using a self-generated Certificate Authority for OpenSSL on debian etch for more info on this).

I needed to generate a new certificate for glassfish's admin pages.

Instead of using the normal OpenSSL self-signed certificate it was easier just to use the java keystore keytool

keytool -genkey -keyalg RSA -alias
<alias_referred_to_in_glassfish>
-keystore glassfish/domains/domain1/config/keystore.jks
-storepass changeit

Note the -keyalg RSA - keytool by default uses DSA and firefox 3.0 will not accept this even with an added security exception.

Technorati Tags: glassfish java keystore keytool ssl

I use a plugin to Aperture to send mail to gmail. It was failing due to a

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target

Technorati Tags: aperture aperture2gmail cacerts gmail google java jssecacerts keystore ssl

For more info on the debian security announcement see:

http://lists.debian.org/debian-security-announce/2008/msg00152.html

Server keys for this host have been updated - any ssh users may well need to remove the old ones from their .known_hosts file (or equivalent). Just to let them know that the keys are changed and intentionally so.

Technorati Tags: debian ssh ssl

I was experiencing odd things integrating to google maps - although I have both an API key for http and https - only https was working.

It turns out that the setting of the apache environment variable SERVER_PORT was always 443 irrespective of whether I was using http/80 or https/443 from the client.

Technorati Tags: apache2 namevirtualhost php ssl

There are several reasons you may need to add a self-signed https ssl certificate to your local java keystore.

For me - its so that maven can access DAV shares for repository deployment.

Technorati Tags: java keystore keytool maven ssl webdav

Cargo culted direct from the exim site.

openssl req -x509 -newkey rsa:1024 -keyout /etc/exim4/exim.key -out /etc/exim4/exim.crt -days 9999 -nodes

The really important bit is that the common name (CN) field must be the server name (at least so it seems to be for me)

Don't forget - if your pop3 and imap certificates also expire at the same time to renew them to.

Technorati Tags: exim4 ssl