Certificate maintenance and errors

Eclipse · August 07, 2009, 04:02:56 PM

Can anyone tell me why its such a problem to properly maintain the security certificates on CAP websites?

Thom · August 07, 2009, 05:27:35 PM

I know a fair bit about these issues from my day job, but I'm not sure exactly which Certificate issue you are referring to.

Do you mean the issues with the .mil sites where our Tests and Training are hosted? Or, is this an actual CAP site that is giving you trouble?

Thom Hamilton

Eclipse · August 07, 2009, 05:33:42 PM

The WMU certificates have been invalid for a while, and as I recall so have the ones on the test sites.

(I know the WMU isn't really an NHQ site, but its got a .goc domain and the certs can't e that difficult to maintain properly).

Thom · August 07, 2009, 06:49:22 PM

Quote from: Eclipse on August 07, 2009, 05:33:42 PM
The WMU certificates have been invalid for a while, and as I recall so have the ones on the test sites.

(I know the WMU isn't really an NHQ site, but its got a .goc domain and the certs can't e that difficult to maintain properly).

I hadn't even noticed the WMU was out of date. That probably reflects the National HQ IT folks just letting it slip past them. The WMU site uses a 'Self Certified' Certificate, so it will ALWAYS throw an error the first time you visit it from a machine. But, letting it expire was just a mistake.

As to the Test Sites at the various .mil addresses, those are not (that I can find) EXPIRED, but they are UNVERIFIABLE. This is because they are signed by the DOD, not by any of the Commercial Signing Authorities.

Virtually all modern Web Browsers include a built-in list of CAs (Certificate Authorities) who have been Trusted to only sign Certs for people who can prove they are themselves. When a CA goes Rogue, updates are published to remove them from the list in most browsers. You'll see these in Microsoft Update occasionally, as Root Certificate List Updates.

Almost NO modern browsers include the US DOD as a valid CA, since the DOD doesn't sign commercial site certificates to be visited by most people. One of the .mil Test sites has a program you can download and run which will Add the DOD to your list of approved Root CAs, I have done it on my machines and now I don't even notice any issues with the .mil sites.

Even without that, you should be able to simply tell Firefox to Add a Permanent Exception the first time you visit a site, and never have to worry about Cert issues again (for that site) on that computer.

If you aren't using Firefox,

On the iPhone, there is no option to permanently store an exception, so you have to click past a warning each time, but I live with that in exchange for eServices, WMU, WMIRS, etc. in my pocket.

Yes, this is all more complicated than it needs to be. Sorry! If you still have an issue with a particular site prompting you even after you have added an Exception, let me know and I'll see what we can do for you.

Thom Hamilton

Eclipse · August 07, 2009, 07:11:26 PM

One of the issues is the exceptions - I understand them, but most browsers throw a big read error, or "don't go here", or similar.

If you're not technical, the next call involves some level of grumbling to higher HQ, or worse, rumors that NHQ, etc., has been "HAXORED!"

A cert that is unverifiable, even for legitimate technical reasons, pretty much defeats the purpose of them to start with.

Thom · August 07, 2009, 07:27:47 PM

Quote from: Eclipse on August 07, 2009, 07:11:26 PM
One of the issues is the exceptions - I understand them, but most browsers throw a big read error, or "don't go here", or similar.

If you're not technical, the next call involves some level of grumbling to higher HQ, or worse, rumors that NHQ, etc., has been "HAXORED!"

A cert that is unverifiable, even for legitimate technical reasons, pretty much defeats the purpose of them to start with.

Well, yes and no...

On the DOD Certificate issue, you have to realize that DOD adds their Root CA entry on all (well, supposedly...) Military and DOD machines, so those users never see any errors. And, honestly, DOD doesn't CARE about non-DOD users, like CAP. We are very secondary (or tertiary) in their view, users of their systems. Heck, if DITSCAP and DIACAP had their way, the DOD would be an island, with no connections to the outside world!

As to the Self Certified sites within CAP and NHQ, there is still a useful security funtion to be served by the Certs, even with the exceptions being thrown. But, you are correct, they generate lots of needless worry in the field.

Of couse, CAP is free to write/commission an application, much as DOD has done, to add the CAP CA to people's machines. It could be added to the eServices download list, and would ensure that CAP machines never griped about CAP-Issued Certificates. (Unless they allow them to expire, like the WMU Cert. That is a definite oversight...)

Thom Hamilton

NIN · August 07, 2009, 07:30:06 PM

Doesn't help that the whole certificate thing is disgustingly complex for folks who only deal with it 1-2 times a year (ie. when a cert comes up for renewal).

RiverAux · August 07, 2009, 10:23:51 PM

I just got Vista and it evidently doesn't like the security certificates with WMIRS as I get a warning every single time I try to access it.

SilverEagle2 · August 07, 2009, 10:48:53 PM

I have Vista and once the DoD Root Certs are installed, the warnings go away.

https://ntc.cap.af.mil/certificates.cfm

RiverAux · August 07, 2009, 11:14:16 PM

Hey, that worked. Thanks for the tip.