NDN Certificate

From DreamHost
Revision as of 10:47, 25 January 2011 by Andrew F (Talk | contribs)

Jump to: navigation, search

Header NDNCertificate.png

We have created a Secure SSL certificate for you to install into your system and programs that will allow your system to trust the certificates that we create. It is issued by DreamHost’s very own “New Dream Network Certificate Authority”, hereafter the NDN CA, because we love acronyms!

Here are the instructions on how to install it, first you will need to download it here (Make sure to right click and select "save link as")

You will have a secure certificate file now on your computer.

Ndncert 01.png


Follow the below instructions to install the NDN Certificate

Firefox/Thunderbird

Ndncert 02.png
Firefox and Thunderbird have the same instructions currently so I will cover both of these here.

Open Firefox, then click on Tools > Options

Ndncert 06.png


Then Select the Advanced Tab, select the Encryption (Firefox) or the Certificates (Thunderbird) tab and then click on View Certificates

Ndncert 07.png

You will then need to click on the Authorities tab and click Import. Find that cert you saved, and hit OK! When it will ask you what you want to trust the cert for, check everything except code signing one.

Ndncert 08.png

When it asks you what you want to trust the cert for, check everything! You implicitly trust this certificate!

Internet Explorer/Outlook

Ndncert 03.png

Literally, when you import the certificate into Internet Explorer, it does it for Windows as a whole, and thus anything which hooks in to that uses it. (The entire office suite, for example.)


Open up Internet Explorer and click on Tools > Internet Options

Ndncert 09.png


The Click on the Content tab and select Certificates...

Ndncert 10.png


You must pick Trusted Root Authorities then on Import and go through the prompt and choose the NDN Cert you downloaded earlier.

Ndncert 11.png


Safari/Apple

Ndncert 12.png

The certificate will download as a text (.txt) file. Find it and change the file extension to .crt

Open Keychain Access, this is in your Appplications -> Utilities folder.

Ndncert 13.png


Select File->Import, Select the cert and X509Anchors, click OK. When prompted, enter your password.

Ndncert 14.png

Opera

Open Opera, then click Tools > Options.

Opera cert 1.png


Click the Advanced tab.

Opera cert 2.png


Click Security from the left-hand menu and then hit the Manage certificates button.

Opera cert 3.png


Click the Authorities tab and then the Import button. Follow the instructions to import the certificate.

Opera cert 4.png


When prompted with the Install authority certificate dialog, click the View button.

Opera cert 5.png


Uncheck the Warn me before using this certificate checkbox and press OK to close all dialogs and save the settings.

Opera cert 6.png


Troubleshooting

Internet Security Warning

See also: Certificate Domain Mismatch Error

With Outlook or Outlook Express, you may get an error like this:

The server you are connected to is using a security certificate that could not be verified. The certificate's CN name does not match the passed value. Do you want to continue using this server?

The server you are connected to is using a security certificate that could not be verified. The certificate's CN name does not match the passed value. Do you want to continue using this server?

Here is one potential fix for this:

The certificate mentioned above is only certifying *.dreamhost.com so using mail.<yourdomain>.com for POP and SMTP can be problematic. Instead of using the mail server at mail.<yourdomain>.com, use the actual name of the mail server. Find the name of your mail server and set that as your POP server. To find the name, go to the Dreamhost Control Panel and click on "Account Status" in the upper right corner. If it shows you your email server as "spunky", then it is actually "spunky.mail.dreamhost.com". Be sure to install the certificate as mentioned above and the annoying security certificate message should stop popping up.

Here is another potential fix and an explanation:

In short, this is caused by a restriction/violation of the X.509 wildcard certificate specifications. In English, a1.balanced.yourailserver.mail.dreamhost.com, technically speaking, is NOT "covered" by the wildcard certificate for *.mail.dreamhost.com... The "real" guidelines for the application of a wildcard certificate specify the "*" is good for only ONE level (i.e. levelone.mail.dreamhost.com) but NOT for two or more (i.e. leveltwo.level1.mail.dreamhost.com).

Solution The only solution to my knowledge is to make the hostname you're using to access the mail server(s) compliant with this standard. This can be done by editing your "hosts" file. Before that procedcure is desribed, you'll need to know what to put into that file.

(From A DreamHost Blog Post)
First, you'll need to find the address of your particular mail server. Above are the instructions for finding out which one that is. Then you'll need to get to a command prompt and do something like this:

Dh-wiki-ping.png

You'll need to change the "spacey" portion (which is underlined) to match YOUR mail server's name. You will get results similar to what is shown, but likely with a different IP address. Now we need to insert that address as an "alias" into your hosts file.

Using notepad (or any PLAIN TEXT EDITOR) find the hosts file on your computer. On a WinXP system it is c:\windows\system32\drivers\etc\hosts -- the location varies slightly from OS to OS. Anyway, add (or change if you've done this "hack" before) something like this to the file:

 # alias to avoid SSL warning in Outlook Express
 208.113.200.50 spacey.mail.dreamhost.com

Note the IP address 208.113.200.50 (UPDATED) should be replaced with the result you got from your PING in the above step. Similarly, the spacey should be replaced with YOUR email server's name. Make the changes as described and save the file.

Finally, get into Outlook Express and get to the following screen (Tools -- Accounts -- Properties)

Dh-wiki-oe-final.png

Change the highlighted fields to match whatever you entered in the hosts file as per above (just the myserver.mail.dreamhost.com bit.. NOT the numbers! :p) - Apply those changes, exit Outlook Express, get back into it and PRESTO! No more warning! (Unless I missed something here... if so, please help correct it or at least post it on the talk page for this article so it can be fixed by someone!)

Hope this helps someone and saves a bit of time!

FAQ

This is taken from This DreamHost Status Post, but to get it all in one place, here it is.

Why don’t these instructions work for Apple Mail?

For Apple Mail follow these instructions: http://wiki.dreamhost.com/Mac_OS_X_Mail_10.4#Instructions

Why not get a REAL certificate signed by VeriSign?

The short answer: This is a REAL certificate, and the SSL works just the same.

The long answer: The only difference is that Verisign and a few other top level Certifying Authorities (CAs) have their root level certs included with most products that use certificates. This lets certificates establish a "chain" of authentication your browser or app can check locally. All this does is add Dreamhost as another root level CA on your computer so certs generated by Dreamhost validate silently on your computers. Up until recently, certificates didn't really guarantee anything except the the server you're interacting with is really the same domain name an IP is claims to be, and they enable encryption in the communication. Nothing stopped them from being WeStealYourInformation.com. The recent advent of EV certs (enhanced verification) really vet the owners. But in this case, since Dreamhost is only creating certificates for our own servers, it's perfectly fine to generate self-signed certificates, since all we care about is the encryption. We're fairly sure we're who we think we are, and by golly, that's good enough for us.

I don’t trust you, I have too many computers to do this on, I can’t expect my clients to install that CA certificate, etc, do I have to install the NDN CA certificate?

No! Just click to accept the *.mail.dreamhost.com certificate permanently and it shouldn’t bother you until we renew or change the certificate. Installing the CA certificate would allow us to renew the certificate transparently.

(Note: You may have to do the "hosts file hack" as described above to get rid of the warning in Outlook Express on any and all computers you use Outlook Express on.)

Technical notes

To get all geeky on you, the certificate is an X.509 certificate, in the Privacy Enhanced Mail (that’s PEM) format. Well, it’s not quite an X.509 certificate, but it’s an acceptable imitation!

Not quite standards compliant

The certificate is installed, now, however some astute readers have alerted me to the fact that this new certificate isn’t actually X.509 specification compliant. We’re going to stick with it, since it does help a subset of our users, and will consider some alternatives for the future!

See also