|
Size: 460
Comment: typo fix
|
← Revision 10 as of 2010-05-22 20:27:29 ⇥
Size: 6483
Comment: title change
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = QQC! = | = QQC! and SSL certificates = <<TableOfContents>> == Visiting QQC! for the first time == * https://qqc.meidokon.net/ QQC! makes use of SSL for security. The theory is beyond the scope of this document, but SSL was designed to provide guarantees of: i. identity - that you're communicating with who you think you're communicating with i. confidentiality - ensuring that your information is not stolen or viewed while in transit Nowadays noone cares much about identity. It's too technical to explain to most people, but that's what your browser will complain about - it can't confirm QQC!'s identity: * [[attachment:firefox_whine.png| Firefox complaining]] * [[attachment:ie_whine.png| IE complaining]] === Fixing this properly === For a website using SSL, the identity of the website is assured by a Certificate Authority (CA). The website-owner usually pays the CA some money, and then the CA issues the SSL certificate. In our case, CAcert assures our identity for QQC. The correct fix is then to tell your browser that you trust CAcert, who in turn assures QQC!. ==== Firefox ==== 1. Visit CAcert: http://www.cacert.org/ 1. Follow the link to their Root Certificate, in the right-hand sidebar 1. Follow the link to the ''Root Certificate (PEM Format)'' under the ''Class 1 PKI Key'' section <<BR>> {{attachment:cacert_class1_pki.png}} 1. You'll get a popup asking you to accept the certificate <<BR>> {{attachment:cacert_identify_sites.png}} i. You should click the View button to show the details of the certificate i. Visually verify the SHA1 and MD5 Fingerprints on the certificate against the details on the webpage i. Close the viewing window once you're done 1. Tick the box labelled ''Trust this CA to identify web sites'' * You can tick the boxes for ''Email users'' and ''Software developers'' if you like 1. Click OK 1. You're done. You can [[https://qqc.meidokon.net/| visit QQC!]] if you want, but there's not much to do until you have your browser certificate installed ==== Internet Explorer ==== 1. Visit CAcert: http://www.cacert.org/ 1. Follow the link to their Root Certificate, in the right-hand sidebar 1. Follow the link to the ''Root Certificate (PEM Format)'' under the ''Class 1 PKI Key'' section <<BR>> {{attachment:cacert_class1_pki.png}} 1. Let IE do its thing, either Save or Open the file 1. If you saved, go open it. If you chose to Open, keep going. 1. IE on Windows Vista/7 will throw you an amber security warning about what you're doing, you need to Allow/Accept to proceed 1. You'll get the info box about the cert, click on ''Install Certificate'': <<BR>> {{attachment:ie_cacert_view.png}} 1. This starts the ''Certificate Import Wizard'' 1. Click ''Next'' to get past the intro screen 1. You need to choose the correct "store" to put the certificate in, as Windows will pick the wrong one. Select ''Place all certificates in the following store'' then click the ''Browse'' button 1. Choose the ''Trusted Root Certification Authorities'' store and click OK 1. Click ''Next'' and then ''Finish'' 1. You'll then get a big security warning. Verify the sha1 thumbprint of the cert against the details on the webpage, then click Yes if they match: <<BR>> {{attachment:ie_ca_warning.png}} 1. You should see a message indicating success <<BR>> {{attachment:ie_success.png}} 1. You're done, now close all the dialogue boxes. You can [[https://qqc.meidokon.net/| visit QQC!]] if you want, but there's not much to do until you have your browser certificate installed === Dodgy fix === You can just ignore the error, it's benign. ==== Firefox ==== 1. When Firefox complains, click ''I Understand the Risks'', and another block of warning text will appear 1. Click the ''Add Exception'' button 1. Click the ''Get Certificate'' button 1. Uncheck the ''Permanently store this exception'' tickbox if you want to be hassled next time 1. Click the ''Confirm Security Exception'' button ==== Internet Explorer ==== 1. Click ''Continue to this website'' |
| Line 4: | Line 66: |
| Get your certificate file, it should look something like this: <<BR>> {{attachment:cert_icon.jpg}} | |
| Line 5: | Line 68: |
| 1. Get your certificate file, it should look something like this: <<BR>> {{attachment:cert_icon.jpg}} <<BR>> 1. Importing into Firefox 1. Open your Options (on linux this is in the Edit menu): <<BR>> {{attachment:options_menu.jpg}} <<BR>> 1. Find the Advanced tab, then the View Certificates button: <<BR>> {{attachment:advanced_tab.jpg}} <<BR>> 1. Click the Import button <<BR>> |
=== Importing into Firefox === 1. Open your ''Options'' (on linux this is in the Edit menu): <<BR>> {{attachment:options_menu.jpg}} 1. Find the ''Advanced'' tab, then the ''View Certificates'' button: <<BR>> {{attachment:advanced_tab.jpg}} 1. The first tab should already be selected, it's for ''Your Certificates'' 1. Click the ''Import'' button <<BR>> {{attachment:import_button.jpg}} 1. Find your cert in the standard dialogue box and open it 1. You'll be asked for a password <<BR>> {{attachment:password_entry.jpg}} 1. The password is blank, so just click OK 1. You should see a message indicating success <<BR>> {{attachment:success.jpg}} 1. You're done, now close all the dialogue boxes and try to visit a QQC! page, eg. https://qqc.meidokon.net/Quartett/qqc_report.py === Importing into Internet Explorer === 1. Open your Internet Options: <<BR>> {{attachment:ie_internet_options.png}} 1. Choose the ''Content'' tab and click the ''Certificates'' button: <<BR>> {{attachment:ie_content_certificates.png}} 1. The first tab should already be selected, it's for ''Personal'' certificates 1. Click the ''Import'' button <<BR>> {{attachment:ie_import.png}} 1. This starts the ''Certificate Import Wizard'' 1. Click ''Next'' to get past the intro screen 1. Click the ''Browse'' button and find your file, you might need to fiddle the file-type box to show `.p12` files: <<BR>> {{attachment:ie_certbrowse.png}} 1. That looks good now, so click ''Next'' to get to the password screen: <<BR>> {{attachment:ie_import_file_select.png}} 1. Tick the checkbox to ''Mark this key as exportable'' <<BR>> {{attachment:ie_password_entry.png}} 1. The password is blank, so just click OK 1. You can choose the "store" to put the certificate in. The default of ''Personal'' is fine, so leave that alone and click OK: <<BR>> {{attachment:ie_storeselect.png}} 1. You should see a message indicating success <<BR>> {{attachment:ie_success.png}} 1. You're done, now close all the dialogue boxes and try to visit a QQC! page, eg. https://qqc.meidokon.net/Quartett/qqc_report.py 1. IE might ask you to confirm the use of your certificate, you can just click OK: <<BR>> {{attachment:ie_confirm_cert.png}} |
QQC! and SSL certificates
Contents
Visiting QQC! for the first time
QQC! makes use of SSL for security. The theory is beyond the scope of this document, but SSL was designed to provide guarantees of:
- identity - that you're communicating with who you think you're communicating with
- confidentiality - ensuring that your information is not stolen or viewed while in transit
Nowadays noone cares much about identity. It's too technical to explain to most people, but that's what your browser will complain about - it can't confirm QQC!'s identity:
Fixing this properly
For a website using SSL, the identity of the website is assured by a Certificate Authority (CA). The website-owner usually pays the CA some money, and then the CA issues the SSL certificate. In our case, CAcert assures our identity for QQC. The correct fix is then to tell your browser that you trust CAcert, who in turn assures QQC!.
Firefox
Visit CAcert: http://www.cacert.org/
- Follow the link to their Root Certificate, in the right-hand sidebar
Follow the link to the Root Certificate (PEM Format) under the Class 1 PKI Key section
You'll get a popup asking you to accept the certificate
- You should click the View button to show the details of the certificate
- Visually verify the SHA1 and MD5 Fingerprints on the certificate against the details on the webpage
- Close the viewing window once you're done
Tick the box labelled Trust this CA to identify web sites
You can tick the boxes for Email users and Software developers if you like
- Click OK
You're done. You can visit QQC! if you want, but there's not much to do until you have your browser certificate installed
Internet Explorer
Visit CAcert: http://www.cacert.org/
- Follow the link to their Root Certificate, in the right-hand sidebar
Follow the link to the Root Certificate (PEM Format) under the Class 1 PKI Key section
- Let IE do its thing, either Save or Open the file
- If you saved, go open it. If you chose to Open, keep going.
- IE on Windows Vista/7 will throw you an amber security warning about what you're doing, you need to Allow/Accept to proceed
You'll get the info box about the cert, click on Install Certificate:
This starts the Certificate Import Wizard
Click Next to get past the intro screen
You need to choose the correct "store" to put the certificate in, as Windows will pick the wrong one. Select Place all certificates in the following store then click the Browse button
Choose the Trusted Root Certification Authorities store and click OK
Click Next and then Finish
You'll then get a big security warning. Verify the sha1 thumbprint of the cert against the details on the webpage, then click Yes if they match:
You should see a message indicating success
You're done, now close all the dialogue boxes. You can visit QQC! if you want, but there's not much to do until you have your browser certificate installed
Dodgy fix
You can just ignore the error, it's benign.
Firefox
When Firefox complains, click I Understand the Risks, and another block of warning text will appear
Click the Add Exception button
Click the Get Certificate button
Uncheck the Permanently store this exception tickbox if you want to be hassled next time
Click the Confirm Security Exception button
Internet Explorer
Click Continue to this website
Installing your certificate into your browser
Get your certificate file, it should look something like this:
Importing into Firefox
Open your Options (on linux this is in the Edit menu):
Find the Advanced tab, then the View Certificates button:
The first tab should already be selected, it's for Your Certificates
Click the Import button
- Find your cert in the standard dialogue box and open it
You'll be asked for a password
- The password is blank, so just click OK
You should see a message indicating success
You're done, now close all the dialogue boxes and try to visit a QQC! page, eg. https://qqc.meidokon.net/Quartett/qqc_report.py
Importing into Internet Explorer
Open your Internet Options:
Choose the Content tab and click the Certificates button:
The first tab should already be selected, it's for Personal certificates
Click the Import button
This starts the Certificate Import Wizard
Click Next to get past the intro screen
Click the Browse button and find your file, you might need to fiddle the file-type box to show .p12 files:
That looks good now, so click Next to get to the password screen:
Tick the checkbox to Mark this key as exportable
- The password is blank, so just click OK
You can choose the "store" to put the certificate in. The default of Personal is fine, so leave that alone and click OK:
You should see a message indicating success
You're done, now close all the dialogue boxes and try to visit a QQC! page, eg. https://qqc.meidokon.net/Quartett/qqc_report.py
IE might ask you to confirm the use of your certificate, you can just click OK:
