Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 0E73D200C0E for ; Wed, 1 Feb 2017 17:37:03 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 0CEE3160B41; Wed, 1 Feb 2017 16:37:03 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 52324160B46 for ; Wed, 1 Feb 2017 17:37:02 +0100 (CET) Received: (qmail 9020 invoked by uid 500); 1 Feb 2017 16:36:56 -0000 Mailing-List: contact user-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@ofbiz.apache.org Delivered-To: mailing list user@ofbiz.apache.org Received: (qmail 9009 invoked by uid 99); 1 Feb 2017 16:36:56 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Feb 2017 16:36:56 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 874541A00E6 for ; Wed, 1 Feb 2017 16:36:55 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -2.998 X-Spam-Level: X-Spam-Status: No, score=-2.998 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-2.999, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_TRY_3LD=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id LrtuOD89xr-4 for ; Wed, 1 Feb 2017 16:36:54 +0000 (UTC) Received: from greenfinch.elirion.net (greenfinch.elirion.net [65.111.186.99]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 14D835F2F0 for ; Wed, 1 Feb 2017 16:36:52 +0000 (UTC) Received: (qmail 3603 invoked from network); 1 Feb 2017 11:36:45 -0500 Received: from unknown (HELO ?192.168.237.197?) (32.216.51.235) by greenfinch.elirion.net with ESMTPSA (DHE-RSA-AES128-SHA encrypted, authenticated); 1 Feb 2017 11:36:44 -0500 Subject: Re: SSL certificate creation for localhost To: user@ofbiz.apache.org References: From: Richard Siddall Message-ID: Date: Wed, 1 Feb 2017 11:36:40 -0500 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit archived-at: Wed, 01 Feb 2017 16:37:03 -0000 Skip, I agree with everyone else that Let's Encrypt is a great source for free SSL certificates, but we're not really answering your question. You should be able to follow the Production Setup Guide and generate a CSR, then use OpenSSL to generate a self-signed certificate in PKCS#7 format, e.g. follow http://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl#10176685 to get a self-signed cert, and https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/ to convert to PKCS7. Then you can finish up with the steps using keytool from the guide. If you choose to spend the time setting up certbot or one of the other Let's Encrypt clients (I use getssl: https://github.com/srvrco/getssl) then you skip the CSR generation step and start with the key file the client generates and the certificate it gets from Let's Encrypt (once you've gotten the validation working). I hope that helps. Richard Siddall Skip wrote: > For my development machine as well as other users in the local intranet, I > am using the default SSL certificate that comes with ofbiz. However, this > cert is not accepted by IE 11 (giving the very helpful error message "This > page can't be displayed". Firefox reports that the certificate "was signed > using a certificate algorithm that was disabled...". > > I can and have made modifications to Firefox and Chrome to accept this > certificate and that is all good. > > However, I am writing a Windows Win32 application that queries an ofbiz > https URL and gets json data. I am getting the same error with this > application (works fine with http instead of https) that I get with IE11. I > have to use Win32 APIs because this app is running on a really low power box > that requires some windows services, so I can't use Linux. > > I can make this app work by running the request through an apache server and > using ajp to the ofbiz server where the apache server has a good signed > certificate, so I am sure the ofbiz URL is working just fine. > > I have tried the advise here: > > https://cwiki.apache.org/confluence/display/OFBIZ/Ant+Script+to+build+new+of > biz+self+cert > > The above ant script generates a cert file that doesnt work at all with > Firefox or IE. > > > This link: > https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Pro > duction+Setup+Guide#ApacheOFBizTechnicalProductionSetupGuide-SSLCertificateS > etup > describes a production setup. However, I am interested in multiple dev > machine setups and I don't want to wait on a real certificate authority. > > > So, can anyone tell me how to generate a self signed certificate and install > it on ofbiz that will be accepted by IE11? A real certificate is $100 and > weeks of work. > > All I care about is getting IE11 to connect on localhost to ofbiz using > https. > > Thanks in advance. > > Skip > > >