Strange question, but bear with me.
I've run the keystore generator (alfresco-ssl-generator-master) to produce a browser client certificate to communicate with the Solr console. The keystore (browser.p12) has to be imported into the browser key manager. There are instructions to do this (but, of course, they're always out of date because browsers change all the time).
The problem is that the browser doesn't trust this certificate, so the instructions tell you to add a security exception for your site ("This is due to the certificate not being tied to the server IP address", which is incorrect).
However, you can't add a security exception if your site uses HSTS (Strict-Transport-Security), and I imagine that most sites nowadays use HSTS. The client certificate ('Custom Browser Client') is signed by 'Custom Alfresco CA', and the actual problem is that 'Custom Alfresco CA' has to be imported as a trusted root certificate.
The client can't add the security exception because of HSTS, so should I ask the client to add the trusted root certificate instead? This sounds like it might be a really bad idea. How was the certificate generated? How easy would it be for an attacker to recreate this cert?
The alternative is tell the client to find another way to ignore the security exception (the Chrome 'thisisunsafe' easter egg, or whatever). Thoughts?
The best approach is to to add the Custom Alfresco CA to the browser/OS trusted root certificate store.
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.