Nevis Certificates

The notes on this page are now obsolete. Columbia University now provides SSL certificates for its department without charge. We've switched to these certificates, which have a chain of confidence recognized by most browsers and mail readers. Therefore, you will no longer be presented with "this certificate is not recognized" messages.

The Nevis mail and web servers use certificates to enhance security. Not all mail readers and browsers handle certificates in the same way. This web page reviews how to work with certificates in some common programs.

Thunderbird and Firefox

When you first access the Nevis server, you'll be presented with a dialog box saying that the program does not recognize the certificate's authority, and will ask for your approval. As long as the certificate says it was issued by Nevis, just check on the option that says to accept the certificate forever. On subsequent dialog boxes, continue to select the option that says you approve the certificate.

More recent versions of Firefox may not give you this option; they may simply present an alert that the Nevis certificate is self-signed. Click on "I understand the risks" and go through the dialog boxes; you want to "Get the certificate" and "Confirm exception".

This is a one-time setup procedure. After you've accepted the certificate, you'll never have to go through it again for that particular certificate.

Outlook, Outlook Express, and Entourage

The solution is to load the certificate into Windows. Try clicking on this link to the Nevis site certificate. Windows may take you through a "Certificate Wizard" for you to permanently approve a certificate. If it does not, copy the file to disk and open it from within Windows; this should automatically start the Certificate Wizard.

Mail.app and iCal in Mac OS X

Load the certificate into the Mac OS X Keychain:

• Download the Nevis site certificate to your Mac.
• Double-click on the file NevisSite.cer to open the Keychain Access utility (in /Applications/Utilities).
• Follow the program prompts (e.g, entering your password) to add the certificate to your Keychain.
• It may be that you'll still get messages of the form "This certificate uses an authority that you do not trust." If that happens, go into the Keychain Access program, select the certificate (it will have the name *.nevis.columbia.edu, and click the small "info" button near the top of the display; it's a small blue dot with the white letter "i". In the lower pane of the display, select "Always trust" from the pop-up menus.

Alpine

If you've followed the Alpine setup instructions elsewhere on this site, you don't have to do anything more. The string ssl/novalidate-cert included in the mail server identifcation tells Pine to use SSL solely for encryption, but not to try to validate the certificate against any authority.

Background

If you use SSL to access Nevis mail, the Nevis calendars, the Nevis electronic logbook, and some other services, you will have to deal with certificates. To put it briefly, an SSL certificate is a form of a mathematical encryption key, similar (at bleast in spirit) to the encryption scheme used by SSH. A certificate can be used for two things:

• Encryption. This is important for services that require your Nevis account password; e.g., when you read mail from or send mail to the Nevis mail server. The encryption protects your password from being "sniffed" as the network traffic goes from your computer to Nevis.

• Identification. A certificate can be used to verify that a remote computer does in fact belong to the company that it says it does.

At Nevis, the value of the second point is marginal. A company that deals with financial transactions over the web might arrange to have their certificate "signed" by a central well-known authority (such as Verisign). The Nevis certificates have no such verification, since these signatures cost money.

Most modern mail readers (including Alpine, Thunderbird, and Outlook) can handle SSL encryption, and hence can handle certificates when the program is properly configured. They will automatically approve certificates that have been signed by a certificate authority they recognize.