Certificates < Main

Main Web>Computing>Mail>Certificates (2014-05-07, WilliamSeligman) (raw view)
---+!! Nevis Certificates

*The notes on this page are now obsolete. Columbia University now provides SSL certificates for its department without charge. We've switched to these certificates, which have a chain of confidence recognized by most browsers and mail readers. Therefore, you will no longer be presented with "this certificate is not recognized" messages.*

<div style="float:right; background-color:#EBEEF0; margin:0 0 20px 20px; padding: 0 10px 0 10px;">
%TOC{title="On this page:"}%
</div>

The Nevis mail and web servers use [[http://en.wikipedia.org/wiki/Ssl_certificate][certificates]] to enhance security.  Not all mail readers and browsers handle certificates in the same way.  This web page reviews how to work with certificates in some common programs.

---++ Thunderbird and Firefox
    
When you first access the Nevis server, you'll be presented with a dialog box saying that the program does not recognize the certificate's authority, and will ask for your approval.  As long as the certificate says it was issued by Nevis, just check on the option that says to accept the certificate forever.  On subsequent dialog boxes, continue to select the option that says you approve
the certificate.
    
More recent versions of Firefox may not give you this option; they may simply present an alert that the Nevis certificate is self-signed. Click on "I understand the risks" and go through the dialog boxes; you want to "Get the certificate" and "Confirm exception".

This is a one-time setup procedure.  After you've accepted the certificate, you'll never have to go through it again for that particular certificate.

---++ Outlook, Outlook Express, and Entourage

The solution is to load the certificate into Windows.  Try clicking on this link to the [[http://www.nevis.columbia.edu/certs/NevisSite2033.cer][Nevis site certificate]].  Windows may take you through a "Certificate Wizard" for you to permanently approve a certificate.  If it does not, copy the file to disk and open it from within Windows; this should automatically start the Certificate Wizard.

---++ Mail.app and iCal in Mac OS X

Load the certificate into the Mac OS X [[http://en.wikipedia.org/wiki/Keychain_%28Mac_OS%29][Keychain]]:

   * Download the [[http://www.nevis.columbia.edu/certs/NevisSite2033.cer][Nevis site certificate]] to your Mac.  
   * Double-click on the file =NevisSite.cer= to open the *Keychain Access* utility (in =/Applications/Utilities=).  
   * Follow the program prompts (e.g, entering your password) to add the certificate to your Keychain.
   * It may be that you'll still get messages of the form "This certificate uses an authority that you do not trust."  If that happens, go into the *Keychain Access* program, select the certificate (it will have the name =*.nevis.columbia.edu=, and click the small "info" button near the top of the display; it's a small blue dot with the white letter "i".  In the lower pane of the display, select "Always trust" from the pop-up menus.

---++ Alpine
    
If you've followed the Alpine [[AlpineWithoutPasswords][setup]] instructions elsewhere on this site, you don't have to do anything more.  The string =ssl/novalidate-cert= included in the mail server identifcation tells Pine to use SSL solely for encryption, but not to try to validate the certificate against any authority. 

---++ Background

If you use SSL to access Nevis [[mail]], the Nevis [[calendar][calendars]], the Nevis [[https://www.nevis.columbia.edu/elog/][electronic logbook]], and some other services,
you will have to deal with certificates.  To put it briefly, an [[http://en.wikipedia.org/wiki/Ssl_certificate][SSL certificate]] is a form of a mathematical encryption key, similar (at bleast in spirit) to the encryption scheme used by [[http://www.openssh.org/][SSH]].  A certificate can be used for two things:

   * Encryption.  This is important for services that require your Nevis account password; e.g., when you read mail from or send mail to the Nevis mail server.  The encryption protects your password from being "sniffed" as the network traffic goes from your computer to Nevis.

   * Identification.  A certificate can be used to verify that a remote computer does in fact belong to the company that it says it does.

At Nevis, the value of the second point is marginal.  A company that deals with financial transactions over the web might arrange to have their certificate "signed" by a central well-known authority (such as [[http://www.verisign.com/][Verisign]]). The Nevis certificates have no such verification, since these signatures cost money.

Most modern mail readers (including Alpine, Thunderbird, and Outlook) can handle SSL encryption, and hence can handle certificates when the program is properly [[ConfigureMail][configured]]. They will automatically approve certificates that have been signed by a [[http://en.wikipedia.org/wiki/Certificate_authority][certificate authority]]  they recognize.
Topic revision: r6 - 2014-05-07 - WilliamSeligman
Main
Webs
ATLAS
DOE
Main
TWiki
Veritas