Thanks for the help. That answers a lot of questions, but raises some more.
On Wed, Jul 2, 2008 at 5:01 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote: > > That error means one thing: the name(s) in the cert do not match the > name (or IP address) of the server given in the URL. Nothing you can > do to any Issuer cert will overcome the fact that the server cert > doesn't have the desired server name in it in the right place. I assume that firefox is trying to match with the hostname (portion of the URL) or the IP address with something in the DN or the subject Alt of the certificate. When you say names in the cert, then I assume you are referring to the cert's DN or subject alt name. For the DN, is it the CN that has to match? If I use subject Alt name, can I specify multiple hostnames or IP addresses? Can I match wildcards such as "*.google.com"? Is the name match a specific IP address or can I specify a subnet? > > > > I can go through the motions and add an exception, but this is a pain to > > do for each of the servers. > > Yup. A much better solution is to ensure that the cert has the host name > used in the URL, and vice versa. > > > If I manually add the exception will this permanently bypass all the > > other cert checking (valid dates, revocation, etc.)? > > I believe so, yes. Given both of those answers, I would rather change out my server certs than have the users manually override the cert checking. > > > > How can I get firefox to stop complaining about the certificates for > > intra-net sites? Is there something I need to place in the server > > certs? > > Ensure that the cert has the hostname used in the URL, and vice versa. > Pay attention to FQDNs. If the cert's host name is an FQDN, then the > host name in the URL must be an FQDN. > > Reverse DNS lookups are irrelevant. They play no role whatsoever in > matching the hostname given in the URL to the name in the cert. > > Don't forget that if you have host names in the Subject Alternative Name > extension, then ALL the names in the cert belong there, not all-but-one. > But This is no different than it was in FF2. I don't think I fully understand the "ALL the names" in this context. What might help me is if can you elaborate with a simple example? > > > > Bruce > > /Nelson > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > Thanks, Bruce
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
