locked
Certificates Ideas RRS feed

  • Question

  • I know that WHS self-issues it's own root certificate.  First, I'd like to see it issue one with something indicating that it was issued by WHS, instead of the long alpha-numeric text it uses as it's CN.

     

    Any plans/methods of allowing it to integrate it into an existing CA structure?  As far as I can see the only reason it issues a cert is to allow SSL using livenode.com (rtm is homeserver.com?).

     

    Also, allowing the root CA to be used to issue certs for EAP for wireless access points might be useful.  Enhancing security is always a good idea, although EAP might open up a huge can of worms (client certs and different EAP types - afaik there are some that are "less secure" that allows you to only use server certs...)

     

    -- Starfox

    Thursday, July 19, 2007 10:24 AM

Answers

  • The team has said that the certificate issues will be dealt with for RTM, so I assume that when we can buy OEM hardware or a System Builder pack, we'll see that. I would bet it still won't have a friendly name, though. Smile

    And the certificate is issued for other reasons, too, not just for the Remote Access web site: at least some of the communications between the server and the client are encrypted.
    Saturday, July 21, 2007 3:30 AM
    Moderator

All replies

  • The team has said that the certificate issues will be dealt with for RTM, so I assume that when we can buy OEM hardware or a System Builder pack, we'll see that. I would bet it still won't have a friendly name, though. Smile

    And the certificate is issued for other reasons, too, not just for the Remote Access web site: at least some of the communications between the server and the client are encrypted.
    Saturday, July 21, 2007 3:30 AM
    Moderator
  • Thanks Ken, wish they had more for us as this is and can be a HUGE issue for users that are not so much like us and understand certs...

     

    I've even tried installing the cert manually onto our pc's here at home with no real absolute success, other than using the IE tab add on with FF, that works better than IE for those that have issues with it, but for the RTM, it really needs to be resolved. Thing is, in resolving it, it merely needs to be published and that should be happening now, if one would be business savvy... :>/

    Friday, August 3, 2007 1:58 AM
  • I know this has gone to RTM, but I think the WHS team made a design error overloading the standard port 80/443 service with the connector communications.  All the problems that I have been reading on this forum with certs reflects this I think.

     

    The standard 80/443 is used for remote access and this is a completely different network use case.  The client is on the Internet, not a home intranet.  Access to the server from the Internet to the server will always be mediated by a firewall, either Windows Firewall or more likely, a router that provides the home (wireless) network.   The server will need a static IP address in either case, but the value of it will be different if it is Internet addressable or part of home network.  Remote access needs plain old one way SSL/TLS under HTTP, whereas Windows Home Connector could use Web Services on any port. On a home intranet, there are not going to be any internal firewalls and the computers are not going to be set up to block outbound connections on non-standard ports.

     

    I would think that as a part of the WHS install, it would install a *non-default* Web site that listened on a different port than 443.   The WHS Connector software could easily be configured to use this port.

     

     

    Thursday, August 23, 2007 8:16 PM
  •  TooTallSid wrote:

      The server will need a static IP address in either case,

     



    WHS contains a dynamic DNS client to update people's domain who have a dynamic IPs so that you don't need a static IP. Similar to dyndns.com and no-ip.com


    Friday, August 24, 2007 10:06 AM
  • Almonde, the server needs a static IP address inside the network because, unless your router can truly be configured using UPnP, every time the server IP changes the port forwarding that lets Remote Access work will break.
    Friday, August 24, 2007 11:29 AM
    Moderator
  • Thanks for the clarification Ken, i was taking IP address meaning WAN IP not LAN IP.  My router seems to have long leases on DHCP anyway and therefore they never seem to change even if a device is disconnected for a while.
    Friday, August 24, 2007 2:39 PM
  •  

    Just upgraded to the RTM - and still getting security certificate errors!!!!
    Thursday, September 20, 2007 9:46 AM
  • Yes, the certificate issue is still there in the RTM release - I heard a podcast a while ago where Charlie Kindel said they were working on something for the future, but I got the impression that it wasnt for the RTM timeframe.

     

    Andrew

    Thursday, September 20, 2007 10:11 AM
    Moderator
  •  TooTallSid wrote:

    I know this has gone to RTM, but I think the WHS team made a design error overloading the standard port 80/443 service with the connector communications.  All the problems that I have been reading on this forum with certs reflects this I think.

     

    The standard 80/443 is used for remote access and this is a completely different network use case.  The client is on the Internet, not a home intranet.  Access to the server from the Internet to the server will always be mediated by a firewall, either Windows Firewall or more likely, a router that provides the home (wireless) network.   The server will need a static IP address in either case, but the value of it will be different if it is Internet addressable or part of home network.  Remote access needs plain old one way SSL/TLS under HTTP, whereas Windows Home Connector could use Web Services on any port. On a home intranet, there are not going to be any internal firewalls and the computers are not going to be set up to block outbound connections on non-standard ports.

     

    I would think that as a part of the WHS install, it would install a *non-default* Web site that listened on a different port than 443.   The WHS Connector software could easily be configured to use this port.

     

     




    The connector does not use 80/443 to communicate with the Home Server. It uses ports 55000 and 56000. That's why in the connector troubleshooting information you are asked to see if you can get to the web services on those ports.
    Tuesday, October 2, 2007 2:19 PM
    Moderator
  • Evening,

     

    I can confirm that the Certificate error is still present in the OEM version.

    I initially installed the OEM as an 'upgrade' from RC. As the error was there then, I tried a complete new install and blow me, it's still there.

     

    Colin

     

    Tuesday, October 2, 2007 4:38 PM