= QQC! and SSL certificates = <> == Visiting QQC! for the first time == * https://qqc.meidokon.net/ QQC! makes use of SSL for security. The theory is beyond the scope of this document, but SSL was designed to provide guarantees of: i. identity - that you're communicating with who you think you're communicating with i. confidentiality - ensuring that your information is not stolen or viewed while in transit Nowadays noone cares much about identity. It's too technical to explain to most people, but that's what your browser will complain about - it can't confirm QQC!'s identity: * [[attachment:firefox_whine.png| Firefox complaining]] * [[attachment:ie_whine.png| IE complaining]] === Fixing this properly === For a website using SSL, the identity of the website is assured by a Certificate Authority (CA). The website-owner usually pays the CA some money, and then the CA issues the SSL certificate. In our case, CAcert assures our identity for QQC. The correct fix is then to tell your browser that you trust CAcert, who in turn assures QQC!. ==== Firefox ==== 1. Visit CAcert: http://www.cacert.org/ 1. Follow the link to their Root Certificate, in the right-hand sidebar 1. Follow the link to the ''Root Certificate (PEM Format)'' under the ''Class 1 PKI Key'' section <
> {{attachment:cacert_class1_pki.png}} 1. You'll get a popup asking you to accept the certificate <
> {{attachment:cacert_identify_sites.png}} i. You should click the View button to show the details of the certificate i. Visually verify the SHA1 and MD5 Fingerprints on the certificate against the details on the webpage i. Close the viewing window once you're done 1. Tick the box labelled ''Trust this CA to identify web sites'' * You can tick the boxes for ''Email users'' and ''Software developers'' if you like 1. Click OK 1. You're done. You can [[https://qqc.meidokon.net/| visit QQC!]] if you want, but there's not much to do until you have your browser certificate installed ==== Internet Explorer ==== 1. Visit CAcert: http://www.cacert.org/ 1. Follow the link to their Root Certificate, in the right-hand sidebar 1. Follow the link to the ''Root Certificate (PEM Format)'' under the ''Class 1 PKI Key'' section <
> {{attachment:cacert_class1_pki.png}} 1. Let IE do its thing, either Save or Open the file 1. If you saved, go open it. If you chose to Open, keep going. 1. IE on Windows Vista/7 will throw you an amber security warning about what you're doing, you need to Allow/Accept to proceed 1. You'll get the info box about the cert, click on ''Install Certificate'': <
> {{attachment:ie_cacert_view.png}} 1. This starts the ''Certificate Import Wizard'' 1. Click ''Next'' to get past the intro screen 1. You need to choose the correct "store" to put the certificate in, as Windows will pick the wrong one. Select ''Place all certificates in the following store'' then click the ''Browse'' button 1. Choose the ''Trusted Root Certification Authorities'' store and click OK 1. Click ''Next'' and then ''Finish'' 1. You'll then get a big security warning. Verify the sha1 thumbprint of the cert against the details on the webpage, then click Yes if they match: <
> {{attachment:ie_ca_warning.png}} 1. You should see a message indicating success <
> {{attachment:ie_success.png}} 1. You're done, now close all the dialogue boxes. You can [[https://qqc.meidokon.net/| visit QQC!]] if you want, but there's not much to do until you have your browser certificate installed === Dodgy fix === You can just ignore the error, it's benign. ==== Firefox ==== 1. When Firefox complains, click ''I Understand the Risks'', and another block of warning text will appear 1. Click the ''Add Exception'' button 1. Click the ''Get Certificate'' button 1. Uncheck the ''Permanently store this exception'' tickbox if you want to be hassled next time 1. Click the ''Confirm Security Exception'' button ==== Internet Explorer ==== 1. Click ''Continue to this website'' == Installing your certificate into your browser == Get your certificate file, it should look something like this: <
> {{attachment:cert_icon.jpg}} === Importing into Firefox === 1. Open your ''Options'' (on linux this is in the Edit menu): <
> {{attachment:options_menu.jpg}} 1. Find the ''Advanced'' tab, then the ''View Certificates'' button: <
> {{attachment:advanced_tab.jpg}} 1. The first tab should already be selected, it's for ''Your Certificates'' 1. Click the ''Import'' button <
> {{attachment:import_button.jpg}} 1. Find your cert in the standard dialogue box and open it 1. You'll be asked for a password <
> {{attachment:password_entry.jpg}} 1. The password is blank, so just click OK 1. You should see a message indicating success <
> {{attachment:success.jpg}} 1. You're done, now close all the dialogue boxes and try to visit a QQC! page, eg. https://qqc.meidokon.net/Quartett/qqc_report.py === Importing into Internet Explorer === 1. Open your Internet Options: <
> {{attachment:ie_internet_options.png}} 1. Choose the ''Content'' tab and click the ''Certificates'' button: <
> {{attachment:ie_content_certificates.png}} 1. The first tab should already be selected, it's for ''Personal'' certificates 1. Click the ''Import'' button <
> {{attachment:ie_import.png}} 1. This starts the ''Certificate Import Wizard'' 1. Click ''Next'' to get past the intro screen 1. Click the ''Browse'' button and find your file, you might need to fiddle the file-type box to show `.p12` files: <
> {{attachment:ie_certbrowse.png}} 1. That looks good now, so click ''Next'' to get to the password screen: <
> {{attachment:ie_import_file_select.png}} 1. Tick the checkbox to ''Mark this key as exportable'' <
> {{attachment:ie_password_entry.png}} 1. The password is blank, so just click OK 1. You can choose the "store" to put the certificate in. The default of ''Personal'' is fine, so leave that alone and click OK: <
> {{attachment:ie_storeselect.png}} 1. You should see a message indicating success <
> {{attachment:ie_success.png}} 1. You're done, now close all the dialogue boxes and try to visit a QQC! page, eg. https://qqc.meidokon.net/Quartett/qqc_report.py 1. IE might ask you to confirm the use of your certificate, you can just click OK: <
> {{attachment:ie_confirm_cert.png}}