Installing the Root Certificate
In order to make HTTPS connections working via WebOne proxy, it's need to install the proxy server's Root Certificate Authority. Otherwise you'll get SSL connection failure or warning messages (depending on used client software). With root certificate been installed, connections should perform successfully. Also you can bypass the certificate check by opening all web sites by http:// protocol, and WebOne will enable access via plain HTTP.
This article explains only about the CA Root Certificate. Other SSL-related things are explained in separate article. See also: HTTPS and SSL.
The Root Certificate can be downloaded from proxy server's status page:
Just download it to disk, open, and click Install Certificate. Sometimes it's need to set up it as Trusted Root Certificate Authority if automatic kind detection fails.
Many MS Windows applications, such as mIRC, Miranda, MSN/Windows Messenger, will also use this certificate for secure connections through proxy.
Just click the link, and follow Certificate Authority accepting wizard instructions.
Unlike Windows Internet Explorer, IE:Mac does not installing certificate to system database, so other applications will not use it. For Apple MacOS X, see Safari steps.
Seems that it lacks support for installing CAs from files. But it is still possible to install it directly to registry. Download the root certificate file, and open it in an hexadecimal editor. Then run MSIE Registry Editor, located at C:\WINDOWS\SYSTEM\REGEDT16.exe. Open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CertificationAuthorities\, and create a branch for WebOne Certificate Authority XXX, where XXX is your CA number. The CACert key is place for contents of your WebOneCA.crt file (nearly 1000 bytes).
Hint: you can copy HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CertificationAuthorities\WebOne Certificate Authority XXX registry branch contents from an machine with Windows 95 or NT 4.0, where the certificate is already installed. REGEDT16 can import REGEDIT 4.0 .REG files.
Just click the link, and Navigator will start Certificate Authority accepting wizard. Follow its instructions.
Download the certificate, then go Tools -> Options -> Advanced -> Encryption, click View Certificates, go to Authorities tab and click Import button. Then choose the downloaded file, and click Open. Firefox will ask about how you trust the certificate. Choose first checkmark.
The instructions are in the middle between Netscape 4 and Firefox. Some Mozilla versions are displaying import dialog window after click on CA download link, some are needing to import it manually from downloaded file via Edit -> Preferences -> Privacy & Security -> Certificates -> Manage Certificates -> Authorities -> Import.
Download the file to disk. Go to Tools -> Preferences -> Advanced -> Security, click Manage Certificates, go to Authorities, and click Import. Then choose the downloaded file, and click View button. The certificate will be displayed. Check the "Allow connections to sites using the certificate" mark (if it is not previously checked), and uncheck the "Warn me before using this certificate" mark.
Some versions of Opera are displaying the described dialogue window after click on the CA file link. So it's enough to import the certificate via that window.
The steps are identical to Microsoft Internet Explorer as they are using Windows certificate database.
Download the file to your hard disk. Then open Keychain Access utility application. Look at keychains list, it should contain X509Anchors keychain. If not, add it to list: Select Add Keychain... from the File menu. In the resulting dialog box, select the X509Anchors keychain found at /System/Library/Keychains/X509Anchors and click Open. If the keychain is grayed out, it has already been added to the list of keychains in Keychain Access.
Note: the keychain list is hidden by default. Click one of these buttons to show it:
.
Then import it to X509Anchors keychain.
Many MacOS X applications, such as Microsoft Messenger, will also use this certificate for secure connections through proxy.
Just open download link and follow instructions displayed by Android OS. The certificate will be used by all Android applications to establish secure connections through proxy.
Windows Mobile have very strange way of installing CA certificates to PDA. They're installing from CAB files, not CER/CRT. You will need PEM-encoded root certificate file. It is http://proxy:8080/WebOneCA.pem file or file located at /etc/webone.conf.d/ssl.crt, not the default http://proxy:8080/WebOneCA.crt or http://proxy:8080/!ca (they are in DER format).
- Create an XML file, called
_setup.xml, with the following contents:
<wap-provisioningdoc>
<characteristic type="CertificateStore">
<characteristic type="ROOT">
<characteristic type="certhash">
<parm name="EncodedCertificate" value="base64encodedcert"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>- Open the WebOne CA certificate file, and look to Thumbprint in the Field property (at Details tab). Copy the contents.
- Replace
certhashin XML with the certificate thumbprint without spaces. - Open the WebOne CA certificate file using a text editor, and copy its content except
BEGIN CERTIFICATEandEND CERTIFICATElines. - Replace
base64encodedcertin XML with the root certificate body. - Compile the CAB package using command prompt:
makecab _setup.xml <filename>.cab(you may specify any name of the CAB file). - Copy the CAB file to PDA, and install it by opening in Explorer application.
- Result of installation can be checked by looking to Start>Settings>Security>Certificates>Root control panel of PDA.
The certificate will be used by Pocket Internet Explorer and some other applications that use system certificate storage.
If you can't get access to HTTPS web sites via WebOne even after successful import of CA certificate, and you're seeing attempts to open the site through the proxy in WebOne log (otherwise you have mistakes in client configuration - it tries to connect directly to Internet), see this article about known problems and their troubleshooting.