MeidokonWiki:

QQC! and SSL certificates

Contents

  1. QQC! and SSL certificates
    1. Visiting QQC! for the first time
      1. Fixing this properly
        1. Firefox
        2. Internet Explorer
      2. Dodgy fix
        1. Firefox
        2. Internet Explorer
    2. Installing your certificate into your browser
      1. Importing into Firefox
      2. Importing into Internet Explorer

Visiting QQC! for the first time

QQC! makes use of SSL for security. The theory is beyond the scope of this document, but SSL was designed to provide guarantees of:

  1. identity - that you're communicating with who you think you're communicating with
  2. confidentiality - ensuring that your information is not stolen or viewed while in transit

Nowadays noone cares much about identity. It's too technical to explain to most people, but that's what your browser will complain about - it can't confirm QQC!'s identity:

Fixing this properly

For a website using SSL, the identity of the website is assured by a Certificate Authority (CA). The website-owner usually pays the CA some money, and then the CA issues the SSL certificate. In our case, CAcert assures our identity for QQC. The correct fix is then to tell your browser that you trust CAcert, who in turn assures QQC!.

Firefox

  1. Visit CAcert: http://www.cacert.org/

  2. Follow the link to their Root Certificate, in the right-hand sidebar

  3. Follow the link to the Root Certificate (PEM Format) under the Class 1 PKI Key section
    cacert_class1_pki.png

  4. You'll get a popup asking you to accept the certificate
    cacert_identify_sites.png

    1. You should click the View button to show the details of the certificate
    2. Visually verify the SHA1 and MD5 Fingerprints on the certificate against the details on the webpage
    3. Close the viewing window once you're done

  5. Tick the box labelled Trust this CA to identify web sites

    • You can tick the boxes for Email users and Software developers if you like

  6. Click OK

  7. You're done. You can visit QQC! if you want, but there's not much to do until you have your browser certificate installed

Internet Explorer

  1. Visit CAcert: http://www.cacert.org/

  2. Follow the link to their Root Certificate, in the right-hand sidebar

  3. Follow the link to the Root Certificate (PEM Format) under the Class 1 PKI Key section
    cacert_class1_pki.png

  4. Let IE do its thing, either Save or Open the file
  5. If you saved, go open it. If you chose to Open, keep going.
  6. IE on Windows Vista/7 will throw you an amber security warning about what you're doing, you need to Allow/Accept to proceed

  7. You'll get the info box about the cert, click on Install Certificate:
    ie_cacert_view.png

  8. This starts the Certificate Import Wizard

  9. Click Next to get past the intro screen

  10. You need to choose the correct "store" to put the certificate in, as Windows will pick the wrong one. Select Place all certificates in the following store then click the Browse button

  11. Choose the Trusted Root Certification Authorities store and click OK

  12. Click Next and then Finish

  13. You'll then get a big security warning. Verify the sha1 thumbprint of the cert against the details on the webpage, then click Yes if they match:
    ie_ca_warning.png

  14. You should see a message indicating success
    ie_success.png

  15. You're done, now close all the dialogue boxes. You can visit QQC! if you want, but there's not much to do until you have your browser certificate installed

Dodgy fix

You can just ignore the error, it's benign.

Firefox

  1. When Firefox complains, click I Understand the Risks, and another block of warning text will appear

  2. Click the Add Exception button

  3. Click the Get Certificate button

  4. Uncheck the Permanently store this exception tickbox if you want to be hassled next time

  5. Click the Confirm Security Exception button

Internet Explorer

  1. Click Continue to this website

Installing your certificate into your browser

Get your certificate file, it should look something like this:
cert_icon.jpg

Importing into Firefox

  1. Open your Options (on linux this is in the Edit menu):
    options_menu.jpg

  2. Find the Advanced tab, then the View Certificates button:
    advanced_tab.jpg

  3. The first tab should already be selected, it's for Your Certificates

  4. Click the Import button
    import_button.jpg

  5. Find your cert in the standard dialogue box and open it

  6. You'll be asked for a password
    password_entry.jpg

  7. The password is blank, so just click OK

  8. You should see a message indicating success
    success.jpg

  9. You're done, now close all the dialogue boxes and try to visit a QQC! page, eg. https://qqc.meidokon.net/Quartett/qqc_report.py

Importing into Internet Explorer

  1. Open your Internet Options:
    ie_internet_options.png

  2. Choose the Content tab and click the Certificates button:
    ie_content_certificates.png

  3. The first tab should already be selected, it's for Personal certificates

  4. Click the Import button
    ie_import.png

  5. This starts the Certificate Import Wizard

  6. Click Next to get past the intro screen

  7. Click the Browse button and find your file, you might need to fiddle the file-type box to show .p12 files:
    ie_certbrowse.png

  8. That looks good now, so click Next to get to the password screen:
    ie_import_file_select.png

  9. Tick the checkbox to Mark this key as exportable
    ie_password_entry.png

  10. The password is blank, so just click OK

  11. You can choose the "store" to put the certificate in. The default of Personal is fine, so leave that alone and click OK:
    ie_storeselect.png

  12. You should see a message indicating success
    ie_success.png

  13. You're done, now close all the dialogue boxes and try to visit a QQC! page, eg. https://qqc.meidokon.net/Quartett/qqc_report.py

  14. IE might ask you to confirm the use of your certificate, you can just click OK:
    ie_confirm_cert.png

MeidokonWiki: QQC!/certificates (last edited 2010-05-22 20:27:29 by furinkan)