The server side is ready at this point, but Bob isn't. He's about to visit Alice's secure Web server. He'll get the warning message shown in Figure 1
. (All figures in this section are taken from Mozilla 1.2b and apply as well to Netscape 7.0.)
|Figure 1: Browser Unable to Verify the Identity of the Server|
Hmm, what's going on? Bob clicks on the Examine Certificate button, and he sees the contents of the certificate that came from the server, as shown in Figure 2.
|Figure 2: Contents of the Servers Certificate|
Note that the certificate indeed belongs to Alice and is indeed signed by Celie. Everything seems to be in order, so what's the problem? Why the holdup? This glitch happens because Bob doesn't have a copy of Celie's self-signed certificate. Remember, Celie isn't one of the big, famous certification authorities like VeriSign or Thawte. If she were, her certificate would ship with all major browsers. But she's not, so Bob is going to have to install her certificate himself.
This isn't an indication of Alice's cheapness; Alice probably had a very good reason for using Celie. In the context of a company intranet, for example, internal Web servers quite possibly could be authenticated by an internal, company-wide certification authority.
Bob Downloads Celie's Certificate
Luckily, recent browsers make installing a new trusted root certificate very easyalmost too easy since installing just any old root certificate is not a good practice. Celie can put her certificate on her Web site. She should rename it with a .crt extension because most Web servers understand this to be the suffix for certificates of this kind. The URL for the certificate will be something like http://celie.com/certificates/cacert.crt. When Bob goes to this URL, he'll see the dialog box shown in Figure 3.
All Bob has to do is click on Trust this CA to identify web sites and press OK. With that, the certificate is installed. (Click here for instructions on installing Celie's certificate on browsers other than Mozilla.) Now Bob's browser knows about Celie. It trusts Celie, and therefore it will trust Alice. When he directs his browser to https://www.alice.com/, it lets him through without a peep.
One Certificate Does It All
As you can see, this process has a number of steps. However, remember that you did a lot in this one article:
- Set up a certification authority
- Configured a secure Web server
- Configured a Web browser to talk to the secure Web server
Now that this infrastructure is in place, it's a snap for your users to configure their browsers to use your secure Web servers. Installing the certificate once is a lot more efficient than having to contend with a warning dialog every time a new server is added to the system. That one certificate can serve an entire organization for as long as necessary.
Installing instances of secure servers also is easier. You can use the in-house certification authority to sign certificates for each server you want to set up. If done in-house, it's free. So you don't have to think twice about setting up as many servers as necessary.