I followed the steps in the How-To guide http://wiki.qnap.com/wiki/Use_OpenSSL_t ... connection for using OpenSSL to generate a certificate for the NAS.
Everything worked, but when I SSL into my NAS (TS-509), IE8 is giving me a "Mismatched Address" certificate error. The SSL works and all, but I was just wondering if there was a way to get rid of that error so that IE goes to my NAS box without any issues and the location bar background is green as opposed to red.
Thanks.
[HELP] Mismatched Address Certificate Error
- nuspieds
- Know my way around
- Posts: 133
- Joined: Tue Jul 14, 2009 3:35 am
- Location: Los Angeles
- Q
- Experience counts
- Posts: 1436
- Joined: Wed Sep 05, 2007 4:18 pm
- Location: Switzerland
- Contact:
Re: [HELP] Mismatched Address Certificate Error
hi
to get the bar green you would need to buy a EV SSL certificate from a issuer known by the web browser: http://en.wikipedia.org/wiki/Extended_V ... ertificate
to get the bar green you would need to buy a EV SSL certificate from a issuer known by the web browser: http://en.wikipedia.org/wiki/Extended_V ... ertificate
-
- Getting the hang of things
- Posts: 79
- Joined: Sat Aug 22, 2009 5:14 am
Re: [HELP] Mismatched Address Certificate Error
Hi Nuspieds,
You can in fact use a self-signed certificate and NOT get that certificate error in IE8. But for that to work you must make sure you correctly create your certificate so it is able to properly identify your server. There's a few things you need to add in a certificate for it to work without error:
- Friendly / Subject name (aka, Common Name, it's the field called Subject in the certificate) must match the external name of whatever you are connecting to. For instance mail.domain.com
- SAN (Subject Alternate Names) must match ALL names the connection / server is known by, this includes LAN DNS names. So if you have a server named Server1 in an Active Directory domain called Domain1.local, you should add these SAN's: Server1 , Server1.domain1.local , mail.domain.com
If all of the names this server is identified by are present (either on the WAN or LAN), IE won't give you an error. This is a Microsoft recommendation btw, I didn't make that up
Now, for the record, I have never used the method you described to create certificates so I have no idea how that works. I'm sorry. I only deal with creating self-signed certificates on Exchange Servers or otherwise buying a certificate from a verified resource (Thawte, verisign, DigiCert, etc.).
Hope this helps nonetheless
You can in fact use a self-signed certificate and NOT get that certificate error in IE8. But for that to work you must make sure you correctly create your certificate so it is able to properly identify your server. There's a few things you need to add in a certificate for it to work without error:
- Friendly / Subject name (aka, Common Name, it's the field called Subject in the certificate) must match the external name of whatever you are connecting to. For instance mail.domain.com
- SAN (Subject Alternate Names) must match ALL names the connection / server is known by, this includes LAN DNS names. So if you have a server named Server1 in an Active Directory domain called Domain1.local, you should add these SAN's: Server1 , Server1.domain1.local , mail.domain.com
If all of the names this server is identified by are present (either on the WAN or LAN), IE won't give you an error. This is a Microsoft recommendation btw, I didn't make that up
Now, for the record, I have never used the method you described to create certificates so I have no idea how that works. I'm sorry. I only deal with creating self-signed certificates on Exchange Servers or otherwise buying a certificate from a verified resource (Thawte, verisign, DigiCert, etc.).
Hope this helps nonetheless
- Q
- Experience counts
- Posts: 1436
- Joined: Wed Sep 05, 2007 4:18 pm
- Location: Switzerland
- Contact:
Re: [HELP] Mismatched Address Certificate Error
cool, thx for sharing that information.
does the bar then get green or yellow? guess the later one (which is also fine of course).
does the bar then get green or yellow? guess the later one (which is also fine of course).
-
- Getting the hang of things
- Posts: 79
- Joined: Sat Aug 22, 2009 5:14 am
Re: [HELP] Mismatched Address Certificate Error
Your welcome!
The certificate will be fully trusted if all of the names are configured correctly, so it will be green
The certificate will be fully trusted if all of the names are configured correctly, so it will be green
- nuspieds
- Know my way around
- Posts: 133
- Joined: Tue Jul 14, 2009 3:35 am
- Location: Los Angeles
Re: [HELP] Mismatched Address Certificate Error
Thanks for the info...that expense is not worth it for me, though, as I'm not hosting a site or anything.Q wrote:to get the bar green you would need to buy a EV SSL certificate from a issuer known by the web browser: http://en.wikipedia.org/wiki/Extended_V ... ertificate
- nuspieds
- Know my way around
- Posts: 133
- Joined: Tue Jul 14, 2009 3:35 am
- Location: Los Angeles
Re: [HELP] Mismatched Address Certificate Error
Actually, it does!JohnVK wrote:Hope this helps nonetheless
Thanks a lot!
The command-line of OpenSSL prompts for Common Name but for SAN, as I just read in the documentation, itmust come from the configuration file. I'll definitely be playing around with it some more to see if I can get it to work.
- nuspieds
- Know my way around
- Posts: 133
- Joined: Tue Jul 14, 2009 3:35 am
- Location: Los Angeles
Re: [HELP] Mismatched Address Certificate Error
Hi JohnVK,
Success at last!
All along I was incorrectly specifying the CN. I had tried the sever name (which I use at home on my network), and then I edited the configuration file for openSSL to specify SANs using both IP and URIs...but all to no avail.
Then, after doing more research, I found out that I should be using the external server name (i.e., xxx.dyndns.org) for the CN. Actually, there was a time when I did specify this external name, but based on the examples I saw in the documentation, I had the name improperly formatted by including "http://".
Finally, what led me to fully diagnose the problem was when I stumbled onto this site: http://www.sslshopper.com/ssl-checker.html. It clearly told me what I needed to do and once I fixed the CN, everything subsequently worked. No more red bar with the mismatch error!
In the end, though, all that I needed to do was set the CN; I didn't have to worry about SANs.
Thanks again for your help!
-Nuspieds
Success at last!
All along I was incorrectly specifying the CN. I had tried the sever name (which I use at home on my network), and then I edited the configuration file for openSSL to specify SANs using both IP and URIs...but all to no avail.
Then, after doing more research, I found out that I should be using the external server name (i.e., xxx.dyndns.org) for the CN. Actually, there was a time when I did specify this external name, but based on the examples I saw in the documentation, I had the name improperly formatted by including "http://".
Finally, what led me to fully diagnose the problem was when I stumbled onto this site: http://www.sslshopper.com/ssl-checker.html. It clearly told me what I needed to do and once I fixed the CN, everything subsequently worked. No more red bar with the mismatch error!
In the end, though, all that I needed to do was set the CN; I didn't have to worry about SANs.
Thanks again for your help!
-Nuspieds
-
- Getting the hang of things
- Posts: 79
- Joined: Sat Aug 22, 2009 5:14 am
Re: [HELP] Mismatched Address Certificate Error
Great!
Yes, like I said, the CN (Common Name) must always match the external name. I did give an example (mail.domain.com) but I forgot to say to explicitly exclude the http:// part. Sorry about that!
Anyway, glad you got it sorted! And thanks for that sslchecker link. That's a nice one!
Yes, like I said, the CN (Common Name) must always match the external name. I did give an example (mail.domain.com) but I forgot to say to explicitly exclude the http:// part. Sorry about that!
Anyway, glad you got it sorted! And thanks for that sslchecker link. That's a nice one!
- nuspieds
- Know my way around
- Posts: 133
- Joined: Tue Jul 14, 2009 3:35 am
- Location: Los Angeles
Re: [HELP] Mismatched Address Certificate Error
No need to apologize because I wasn't referring to your example. I got caught up in the OpenSSL documentation and they included the "http://" all over the place, so that's what I was following. In addition, on my Windows system, I have two trusted certificates from valicert.com and both have the "http://" included in their CNs! Now you know why I was automaticallly including it with mine!JohnVK wrote:Yes, like I said, the CN (Common Name) must always match the external name. I did give an example (mail.domain.com) but I forgot to say to explicitly exclude the http:// part. Sorry about that!