I have configured the CName record on GoDaddy to point www to # and I created an SSL Certificate for mydomain.com.
I have no problem accessing it via https://example.com, but it throws SSL exception
"Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for www.example.com. The certificate is only valid for example.com."
if I access it via https://www.example.com.
What's the issue with that - since I have created the CName mapping for www.
When your browser checks certificate, it just takes what's between https:// and / (if any). Since www.example.com does not match the subject in your SSL cert, the validation fails.
You need to check the knowledge base of your CA to generate a proper certificate which would have www.example.com listed as the alias in your certificate.
Related
I applied for the certificate of 1991421.cn, but I found that I can use this certificate to static.1991421.cn's services.
I am very confused, what is the difference between this certificate and the pan-domain certificate such as *.1991421.cn.
I originally wanted to apply for two certificates, 1991421.cn and static.1991421.cn, so as to use the corresponding two WEB services, but I found that 1991421.cn can be satisfied with one certificate.
~~I think, what u can't use the certificate of *.example.com for https://example.com, because this link not comparable with mask.~~
I made a mistake:
U can use example.com for first.example.com and for second.first.example.com.
But u can not use *.example.com for second.first.example.com. Wildcard certificate for *.example.com support only first-level domain, but not support second-level. (For second level u need cert *.example.com)
I provisioned a server using forge and set the domain to blog.example.com. And I generate a LetsEncrypt certificate for that server and set the site to run on http2. It was perfectly fine.
However, I need to make the server accessible via www.blog.example.com now. So I set a CNAME record to route www.blog to blog.example.com. But I got an error This site can’t provide a secure connection when I try to access the site via www.blog.example.com. So I try to generate a new certificate for www.blog.example.com but forge reply First domain does not match root domain on site.
How can I solve the problem?
Thank you.
I added self signed certificate in .pem format in Firefox under Authorities tab. When I access site, Firefox throws error
mozilla_pkix_error_ca_cert_used_as_end_entity
It says that the certificate is not trusted because it is self signed. What can be issue?
If you add the certificate as authority then it should be used as authority, i.e. for signing other certificates. If you instead use it as a server certificate (i.e. as end entity and not authority) then it should not be added as authority to firefox but instead as server certificate. This will be automatically done if the certificate is not known and you click through the certificate error messages when connecting to your site and accept the sites certificate permanently.
You should also make sure that your certificates contains the necessary key purpose to be used as a server certificate.
I'd like to connect to my website via https urls also if at the moment I don't have any certificate. I want to do this to test the URL structure on all pages. Is this possible?
If I digit https://www.example.com I see a blank page.
There is no way to get around needing a certificate for an https connection, however you can go for the free option of a self-signed certificate. Have a look into a service such as http://www.selfsignedcertificate.com/ to get the key and certificate created for your website.
Is there a way to change the Fiddler's root certificate. I want it for a scenario when the client app uses certificate pinning and I have access to the keystore, whose certificate is being trusted by the client app.
I think you're asking "Can I change the certificate Fiddler uses for a particular site" rather than the root certificate, which is used for all sites.
Yes, if you really do have the private key for the certificate, you can configure Fiddler to use it. Inside Fiddler's Rules > Customize Rules > OnBoot function, you can call either:
CertMaker.StoreCert("example.com", certMyCert);
or
CertMaker.StoreCert("example.com", "C:\\temp\\cert.pfx", "TopSecretPassword");
The first call requires that your X509Certificate2 variable (certMyCert in this case) refer to a certificate that is already installed in your computer's Certificate Manager (certmgr.msc), so its private key can be found, while the second allows you to specify a PFX file from disk.