Opened 14 years ago
Last modified 11 years ago
#163 new enhancement
401 page should link users to renew their certificates at https://ca.mit.edu/ca/certgen
Reported by: | afarrell | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | web | Keywords: | |
Cc: |
Description
Users coming to sites hosted on scripts.mit.edu that require certificates would be helped by a link directing them to where they can renew their certificates
I would suggest just adding
<p> Its possible you just need to <a href="https://ca.mit.edu/ca/certgen">renew your MIT Certificates. </a></p>
to line 42 of /mit/scripts/www/unauthorized.html
Change History (8)
comment:1 follow-up: ↓ 2 Changed 14 years ago by andersk
- Resolution set to invalid
- Status changed from new to closed
comment:2 in reply to: ↑ 1 Changed 14 years ago by geofft
- Resolution invalid deleted
- Status changed from closed to reopened
Replying to andersk:
People with expired certificates get an SSL error message from their browser; they will never get as far as unauthorized.html (unless we seriously hack the server).
Did you try it?
(I'm getting unauthorized.html from not having certificates at all. My memory is that expired certs are the same.)
comment:3 Changed 14 years ago by andersk
Yes.
comment:4 Changed 14 years ago by ezyang
I did some testing with Chromium, with no MIT CA and not Personal Certificates. First Chromium warns you about the certificate not being trusted, and then it gives you the unauthorized HTML page. So I think there could definitely be some value about this. Is it possible to install a personal certificate signed by the MIT CA w/o the MIT CA?
comment:6 Changed 13 years ago by ezyang
- Priority changed from tiny to minor
comment:7 Changed 13 years ago by ezyang
- Keywords certificates 401 removed
comment:8 Changed 11 years ago by geofft
- Owner geofft deleted
- Status changed from reopened to new
Disowning, since (as with the other ticket I disowned) I have no state on this and don't particularly intend to do any work towards it.
For reference, I just tested in Firefox (Iceweasel 10 on wheezy), and you get a browser certificate error screen from an expired cert. I would vaguely be in favor of the server-hacking Anders alluded to, but I'm not volunteering. In any case, it seems worthwhile in case you just don't have a certificate at all and you are seeing unauthorized.html.
To Edward's question: the client and server CAs are different and unrelated (and indeed now, the server CA is all but unused).
People with expired certificates get an SSL error message from their browser; they will never get as far as unauthorized.html (unless we seriously hack the server).