Results 1 to 8 of 8

Thread: Self signed certificates and browsers

  1. #1
    gbarchi is offline Member
    Join Date
    Oct 2011
    Posts
    12
    Rep Power
    3

    Default Self signed certificates and browsers

    Hello,

    I am continuing with the Zimbra installation, counting the days until I can decommission my old Exchange server. I have now everything working pretty well except importing the self signed certificates in IE8 or Chrome.

    On the browser, once I get the security warning Iīve gone ahead and installed the certificate which matches the URL I am using to access the web client. The installation ends saying the installation was successful, however after trying it 10 times it doesnīt appear under any of the certificate stores I have placed it in. I have also tried downloading it first and then installing it. Same result. Of course, this is not working either in Outlook 2007. I get there the same security warning.

    However, strangely enough under de MMC snap-in, I do see the self-signed certificate. Donīt understand why I can see it there, but I cannot see it through the browsers. And why if it is installed, I keep getting the security warnings.

    By the way I am on Win7 and also XP.

    Thanks in advance!

    GP

  2. #2
    LHammonds's Avatar
    LHammonds is offline Special Member
    Join Date
    Sep 2011
    Location
    Texas
    Posts
    150
    Rep Power
    3

    Default

    You got me curious so I thought I'd do some checks myself.

    I am running Zimbra 7.1.2 OSE on Ubuntu 10.04.3 LTS using self-signed certificates at the moment.

    Mozilla Firefox 7.0.1, 32-bit (on Windows 7, 64-bit) - It accepted the cert and did not ask for it again (works). I can find it under Options --> Advanced --> Encryption --> View Certificates --> Servers tab --> Zimbra Collaboration Suite

    They are listed for both the client and admin locations as well as my domain-level access and server name due to how I accessed them via the address bar.

    MS Internet Explorer 9.0, 32-bit (on Windows 7, 64-bit) - It does not accept the certificate but it does allow me to access the site. At no point does it allow me to "accept" the certificate and be happy. It barks about it each time I initially access the site. And since it does not accept the certificate as being valid, it will not show up in the "view certificates" section.

    LHammonds
    Last edited by LHammonds; 10-13-2011 at 12:27 PM.

  3. #3
    gbarchi is offline Member
    Join Date
    Oct 2011
    Posts
    12
    Rep Power
    3

    Default

    Hi LHammonds,

    Thank you for your reply. I know Firefox has always been more forgiving with self-signed certificates, unfortunately we do not support Firefox in our organization.

    However, I have to mention that I am able to access the site, and like you I have IE and Google giving out warnings about the unsafe certificate. My aim is to remove these warnings. In the past I have used self-signed certificates with these browsers and I canīt remember having these problems.

    GP

  4. #4
    lytledd is offline Elite Member
    Join Date
    Dec 2009
    Location
    Michigan
    Posts
    453
    Rep Power
    5

    Default

    This works for us on IE as well as Outlook:

    Free/Busy Information in Outlook - Zimbra :: Wiki

    Doug
    Ben Franklin quote:

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

  5. #5
    gbarchi is offline Member
    Join Date
    Oct 2011
    Posts
    12
    Rep Power
    3

    Default

    Doug, wow, that worked!

    Thanks a lot.

    GP

  6. #6
    gbarchi is offline Member
    Join Date
    Oct 2011
    Posts
    12
    Rep Power
    3

    Default

    Hello again,

    BTW, this worked on Win7, but it is not working for WinXP.

    GP

  7. #7
    lytledd is offline Elite Member
    Join Date
    Dec 2009
    Location
    Michigan
    Posts
    453
    Rep Power
    5

    Default

    This works fine with all of our Windows XP installs, which is quite a few.

    Doug
    Ben Franklin quote:

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

  8. #8
    LHammonds's Avatar
    LHammonds is offline Special Member
    Join Date
    Sep 2011
    Location
    Texas
    Posts
    150
    Rep Power
    3

    Default

    Quote Originally Posted by lytledd View Post
    This works for us on IE as well as Outlook:

    Free/Busy Information in Outlook - Zimbra :: Wiki

    Doug
    Thanks Doug for the info / link. I've included this bit of info in my own documentation.

    EDIT: Actually, the Zimbra wiki article is only good for one or two computers in a non-domain environment. If you have a Windows Active Directory domain, it is MUCH easier to just add the certificate to Group Policy and all your connected machines magically accept the certificate...no messing around with each PC. Again, this is just for the self-signed certs...if you are using this in production, it is recommended to get a commercial cert and these steps are not necessary.

    Here is how I did it on my Windows 2003 domain for my Zimbra test server:


    1. On the domain controller, open Active Directory Users and Computers
    2. Right-click on your domain and select Properties
    3. Select the Group Policy tab
    4. Select the Default Domain Policy and click the Edit button
    5. Expand Computer Configuration --> Windows Settings --> Security Settings --> Public Key Policies
    6. Right-click on Trusted Root Certification Authorities and click Import
    7. Import Wizard - Click Next
    8. Type the path to the cacert.der from your Zimbra server or click Browse (if you browse, you will need to change the file type to All Files in order to see the certificate file) and then click Next
    9. Select Place all certificates in the following store --> Trusted Root Certification Authorities and click Next, Finish
    10. The import was successful - Click OK
    11. You should now see your mail server domain in the list. Example: mail.mydomain.com
    12. Close Group Policy Object Editor and any other windows you opened


    Any Windows machine on your domain should now be able to open Internet Explorer and visit your SSL-enabled mail server without IE complaining...same with Outlook usage.

    LHammonds
    Last edited by LHammonds; 10-14-2011 at 12:43 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Certificates for multiple domains
    By iain in forum Administrators
    Replies: 21
    Last Post: 07-23-2010, 03:31 AM
  2. [SOLVED] Installing existing SSL certificates (solved)
    By inigoml in forum Administrators
    Replies: 22
    Last Post: 02-24-2009, 10:32 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •