-
1. Re: https for Jboss-3.2.3 without certificate
barend Feb 2, 2004 11:10 AM (in response to tomi)The problem is not in the way JBoss is setup, the problem is in the certificate used. You need a security certificate issued by a trusted party such as Verisign or Thawte.
If the certification chain doesn't lead to a trusted root certificate, browsers will ALWAYS display a warning (and rightfully so). If the certificate comes from a trusted root, it MIGHT be accepted silently.
You can instruct your clients to "Accept this certificate once and for all" the first time the warning is displayed, and they'll be rid of it for the rest of their use of your site. If you want to be rid of the warning altogether, you'll have to buy a SSL certificate. Expect to pay $200 with a yearly renewal. -
2. Re: https for Jboss-3.2.3 without certificate
tomi Feb 2, 2004 5:48 PM (in response to tomi)Thanks a lot for your explanation.
It looks like I have two choices:
a) buy a certificate
or
b) give my certificate to the communication partner
and have them import it into their keystore of trusted
certificates.
I think a) is the real solution. But right now we are
still in testing mode, so b) mitght be the way to go
for now.
Thanks
Tomi -
3. Re: https for Jboss-3.2.3 without certificate
baric Feb 3, 2004 2:38 PM (in response to tomi)(b) will certainly work for you in a test environment, especially if you are just issuing a self signed certificate with keytool. And the if the web user simply accepts the certificate, they will not see the message any more. I would however, make sure the cert is time limited, say 90 days or so (depends on your testing needs). This is what I do for my testing environment.
For a production server, a purchased cert from either Verisign or Thawte is the way to go, as IE and most other browsers already ship with the certs for the intermediate and root CA's. A purchased SSL cert will run you about $800 a year from Verisign. I have not priced out other vendors.