Re: WEBVPN login page Cerrtificate Error

From: Christian Zeng (christian@zengl.net)
Date: Wed Sep 19 2007 - 17:18:26 ART

• Next message: jan vdb: "BGP : Flapping neighbor => how to test + solution for it"
• Previous message: Scott Morris: "RE: Are you #18540? I have your IPExpert T-Shirt..."
• Maybe in reply to: pankaj ahuja: "WEBVPN login page Cerrtificate Error"
• Next in thread: pankaj ahuja: "Re: WEBVPN login page Cerrtificate Error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

you basically have to solve two problems.

* pankaj ahuja wrote:
> "The security certificate presented by this website was not issued by a
> trusted certificate authority.

Using a self signed cert will not work for the "public internet"/normal
browsers/operating systems. Your clients are checking the received
certificate against what issuer they have available in their local cert
stores. So for getting rid of these warnings and to be inline with the
checks a client does, you have two options here:

Buy a certificate from the usual suspects like Verisign, or setup your
own (small) CA/PKI and distribute the CA certificate(s) to your clients.
Note that the latter might not be an option when using public internet
access like Internetcafis. Their browsers will only accept certificates
without a warning from the pre-installed PKIs. If you have a closed user
group and have control over their equipment, you can do that (MS AD
provides autoenrollment/distribution).

> The security certificate presented by this website was issued for a
> different website's address"

Thats another check a client (webbrowser) does, it looks at the CN
within the received concentrator certificate and compares this to what
the user has typed into the address bar of the browser. So when creating
the certificate request, you have to know what will be the public DNS
name of the webvpn site (webmail.company.com). I wouldnt use IP
addresses for a Common Name definition.

Note that this is not 100% luser-proof, for example if your certificate
was issued for webmail.company.com, but the user types in
https://1.2.3.4, this check will fail.

Also - since you are using two concentrators in a loadbalancing setup -
have a very close look how both concentrator should deal with the certs.
I understand depending on the load, a webvpn session can be terminated
on either of the two devices, so they need to have the same certificate
and the corresponding keypairs installed, not sure how this works
(manual import/export should do the trick).

Good luck!

Christian

• Next message: jan vdb: "BGP : Flapping neighbor => how to test + solution for it"
• Previous message: Scott Morris: "RE: Are you #18540? I have your IPExpert T-Shirt..."
• Maybe in reply to: pankaj ahuja: "WEBVPN login page Cerrtificate Error"
• Next in thread: pankaj ahuja: "Re: WEBVPN login page Cerrtificate Error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:13 ART