2

I am new to ssl cerifications. I have installed openssl certificate for my exchange server because I don't want to pay to certificate. It is working fine on the server and local network. But when I tried outside the network. I am still getting ssl error on chrome and IE browsers like showing below.

I don't know openssl works outside the network or not? if not why openssl use of it?. Or I am missing something?

enter image description here

James123
  • 11,184
  • 66
  • 189
  • 343
  • This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/), [Web Apps Stack Exchange](http://webapps.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Feb 16 '15 at 03:49

3 Answers3

2

This has nothing to do with openssl but is because how SSL/TLS work.

A certificate is like an identification document signed by a trusted entity (like a government). The browsers and operating systems get shipped with a set of trusted entities, the "root CA (certificate agency)". Since your certificate is not signed by any of the built-in trusted entities the browser refuses to trust it and you get this error message. This trust check is essential when validating the certificate. If it would not be done anybody could claim your identity and thus hijack the encrypted connection (man-in-the-middle attack).

So your only options are either to get a certificate from a trusted entity or to add yourself as a trusted entity into each browser and operating system which should be able to access your site. Of course this can only be done for endpoints you control.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • *"...but is because how SSL/TLS work."* - its due to the Browsers enforcing [CA/B Forum](https://cabforum.org/) polices, and not SSL/TLS. – jww Feb 16 '15 at 03:48
  • I think the different roles of the various SSL/TLS standards, the rules of CA/B Browser forum and there interpretation by CA and browsers is way too much detail for somebody which is new to certificates. And the knowledge of this is not even needed to understand the issue. Also, the main aspect of this sentence was to point out that is has nothing to do with openssl. – Steffen Ullrich Feb 16 '15 at 05:44
0

I don't want to pay to certificate ...

This is easy enough to fix. Use Startcom or Cacert. They issue free Class 1 server certificates.

Startcom is trusted by nearly all desktop and mobile browsers (I think there's a gap in early mobile browsers). I don't know about CAcert adoption in browsers.

I am still getting ssl error on chrome and IE browsers like showing below

Stop using self signed certificates. The latest versions of Chrome won't accept them (IIRC).

Become your own CA, and then install your CA in the browser. There's a few reasons.

  1. Browsers want server certificates that chain back to a trust anchor
  2. Some browsers don't let you install self signed end entity certificates
  3. Who better to trust than yourself?

After you become your own CA, sign your server certificate and everything will work fine.

Be sure your server certificate includes all the server names you use to address the server (like www.example.com, www and IP addresses). For a server name to work in browsers, the browser must be able to verify them starting at the DNS Root Zone. The means www.example.com will be OK, but www will cause you trouble outside your local network.

I don't know openssl works outside the network or not? if not why openssl use of it?

OpenSSL issues certificates under IETF policies. Browsers use/enforce the policies from the CA/Browser Forums. For more details, see the answer at How to create a self-signed certificate with openssl?

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
0

**When you want an ssl version for your domain, One important thing you missed (ssl certificate from trusted owner)ssl default use your own generated certificate for ssl. (This is the major cause for ssl website domains) Any way if you have this issue and you want now only http:// version for your website just paste the following code about your .htaccess file. Note (Before try this code backup your old .htaccess file)

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 2 days"
</IfModule>
## EXPIRES CACHING ##

For more information visit this link.http://www.c4dprime.com/how-to-create-a-wordpress-website/?v=ccf00d8f7e29**

Shahid Abbas Saher
  • 1
  • 2