401 page should link users to renew their certificates at https://ca.mit.edu/ca/certgen

[afarrell]

Users coming to sites hosted on scripts.mit.edu that require certificates would be helped by a link directing them to where they can renew their certificates

I would suggest just adding

<p> Its possible you just need to <a href="​https://ca.mit.edu/ca/certgen">renew your MIT Certificates. </a></p>

to line 42 of /mit/scripts/www/unauthorized.html

[andersk]

People with expired certificates get an SSL error message from their browser; they will never get as far as unauthorized.html (unless we seriously hack the server).

[geofft]

Replying to andersk:

People with expired certificates get an SSL error message from their browser; they will never get as far as unauthorized.html (unless we seriously hack the server).

Did you try it?

(I'm getting unauthorized.html from not having certificates at all. My memory is that expired certs are the same.)

[andersk]

Yes.

[ezyang]

I did some testing with Chromium, with no MIT CA and not Personal Certificates. First Chromium warns you about the certificate not being trusted, and then it gives you the unauthorized HTML page. So I think there could definitely be some value about this. Is it possible to install a personal certificate signed by the MIT CA w/o the MIT CA?

[ezyang]

Milestone None deleted

[geofft]

Disowning, since (as with the other ticket I disowned) I have no state on this and don't particularly intend to do any work towards it.

For reference, I just tested in Firefox (Iceweasel 10 on wheezy), and you get a browser certificate error screen from an expired cert. I would vaguely be in favor of the server-hacking Anders alluded to, but I'm not volunteering. In any case, it seems worthwhile in case you just don't have a certificate at all and you are seeing unauthorized.html.

To Edward's question: the client and server CAs are different and unrelated (and indeed now, the server CA is all but unused).