3 Replies Latest reply on Feb 3, 2004 2:38 PM by baric

    https for Jboss-3.2.3 without certificate

    tomi Newbie

      Hi,

      In the forum I found very good information on how to activate
      https on jboss 3.2.3.

      The connector config that I am using is:





      This works fine.

      But now when I browse to a page using https, I need to accept
      a certificate. I know that this is good and more secure, but our
      partner who will call our webserves wants to use https without
      accepting a certificate.

      Now I was woundering how I could configure jboss 3.2.3 in a way
      that no certificate has to be accepted.


      I think I somehow need to configure the factory without keystore,
      or something like that, but whatever config I tried up to now did
      not work.

      Can anybody help?

      Thanks

      Tomi

        • 1. Re: https for Jboss-3.2.3 without certificate
          barend Newbie

          The problem is not in the way JBoss is setup, the problem is in the certificate used. You need a security certificate issued by a trusted party such as Verisign or Thawte.

          If the certification chain doesn't lead to a trusted root certificate, browsers will ALWAYS display a warning (and rightfully so). If the certificate comes from a trusted root, it MIGHT be accepted silently.

          You can instruct your clients to "Accept this certificate once and for all" the first time the warning is displayed, and they'll be rid of it for the rest of their use of your site. If you want to be rid of the warning altogether, you'll have to buy a SSL certificate. Expect to pay $200 with a yearly renewal.

          • 2. Re: https for Jboss-3.2.3 without certificate
            tomi Newbie

            Thanks a lot for your explanation.

            It looks like I have two choices:
            a) buy a certificate
            or
            b) give my certificate to the communication partner
            and have them import it into their keystore of trusted
            certificates.

            I think a) is the real solution. But right now we are
            still in testing mode, so b) mitght be the way to go
            for now.

            Thanks

            Tomi

            • 3. Re: https for Jboss-3.2.3 without certificate
              baric Newbie

              (b) will certainly work for you in a test environment, especially if you are just issuing a self signed certificate with keytool. And the if the web user simply accepts the certificate, they will not see the message any more. I would however, make sure the cert is time limited, say 90 days or so (depends on your testing needs). This is what I do for my testing environment.

              For a production server, a purchased cert from either Verisign or Thawte is the way to go, as IE and most other browsers already ship with the certs for the intermediate and root CA's. A purchased SSL cert will run you about $800 a year from Verisign. I have not priced out other vendors.