Apache Tomcat https setup

[zigzagdna]

I am using Apache Tomcat 6. I have setup an https site by installing
some certificates. When I enter https url a pop-up message comes
showing the certificate. Is there a way to prevent this pop-up message
because it is annoying to users. We are in an intranet and primary
purpose is to encrypt passwords, data etc sent over the network.

I have seen some other websites using https where the pop-up message
does not come. When I installed certificates in certificate store
using java command I trusted all the certificates, so do not know why
popup-up message comes.


Thanks a lot.

 

[Lew]

I am using Apache Tomcat 6. I have setup an https site by installing
some certificates. When  I enter https  url a pop-up message comes
showing the certificate. Is there a way to prevent this pop-up message
because it is annoying to users. We are in an intranet and primary
purpose is to encrypt passwords, data etc sent over the network.

I have seen some other websites using https where the pop-up message
does not come. When I installed certificates in certificate store
using java command I trusted all the certificates, so do not know why
popup-up message comes.

"A pop-up message ... showing the certificate" is a tad imprecise. I
assume it's the message asking users to accept the certificate, which
comes up when the certificate is not signed by a trusted authority.

You say you "trusted all the certificates", another imprecise
statement. Do you mean you went to each user's browser and instructed
it to trust the signing authority of the certificate?

If not, that could explain the issue, assuming my assumption of what
you meant is correct.

 

[zigzagdna]

"A pop-up message ... showing the certificate" is a tad imprecise.  I
assume it's the message asking users to accept the certificate, which
comes up when the certificate is not signed by a trusted authority.

You say you "trusted all the certificates", another imprecise
statement.  Do you mean you went to each user's browser and instructed
it to trust the signing authority of the certificate?

If not, that could explain the issue, assuming my assumption of what
you meant is correct.

Lew:

Yes, pop-up message is for what you say. I did not go to each user's
browser; instead when I was running java commands on web server to
install certficates in a kety store which is used by Tomcat; java
command asked me whether certificate is to be trusted.
How does browser decides whether
"certificate is not signed by a trusted authority". Is certifcate have
to be installed in some place on user's PC. If yes where?

THANKS A LOT.

Prem

 

[Arne Vajhøj]

Yes, pop-up message is for what you say. I did not go to each user's
browser; instead when I was running java commands on web server to
install certficates in a kety store which is used by Tomcat; java
command asked me whether certificate is to be trusted.
How does browser decides whether
"certificate is not signed by a trusted authority". Is certifcate have
to be installed in some place on user's PC. If yes where?

This is a security feature.

If a site claims to be java.sun.com and the certificate is
signed by a company that the browser know, then there is no
need to ask.

If the browser does not know the signer of the certificate,
then you get prompted.

There are no way you can disable that server side. For
obvious reasons otherwise the hackers would let their
fake java.sun.com disable the check as well.

You either need to buy a certificate from one of the
known vendors or install the the signing certificate
at each client PC.

How depends on OS and browser.

Arne

 

[zigzagdna]

This is a security feature.

If a site claims to be java.sun.com and the certificate is
signed by a company that the browser know, then there is no
need to ask.

If the browser does not know the signer of the certificate,
then you get prompted.

There are no way you can disable that server side. For
obvious reasons otherwise the hackers would let their
fake java.sun.com disable the check as well.

You either need to buy a certificate from one of the
known vendors or install the the signing certificate
at each client PC.

How depends on OS and browser.

Arne

Arne:

Thanks a lot. As alwyas you are extremely knowledagbale and your
answers are very clear.