Nevis Certificates

The Nevis mail and web servers use certificates to enhance security. Not all mail readers and browsers handle certificates in the same way. This web page reviews how to work with certificates in some common programs.

If you use SSL to access Nevis mail, the Nevis calendars, the Nevis electronic logbook, and some other services, you will have to deal with certificates. To put it briefly, an SSL certificate is a form of a mathematical encryption key, similar (at least in spirit) to the encryption scheme used by SSH. A certificate can be used for two things:

Encryption. This is important for services that require your Nevis account password; e.g., when you read mail from or send mail to the Nevis mail server. The encryption protects your password from being "sniffed" as the network traffic goes from your computer to Nevis.
Identification. A certificate can be used to verify that a remote computer does in fact belong to the company that it says it does.

At Nevis, the value of (2) is marginal. A company that deals with financial transactions over the web might arrange to have their certificate "signed" by a central well-known authority (such as Thawte). The Nevis certificates have no such verification, since these signatures cost money.

Most modern mail readers (including Pine, Thunderbird, and Outlook) can handle SSL encryption, and hence can handle certificates when the program is properly configured. They will automatically approve certificates that have been signed by a certificate authority that they recognize.

For the most common mail readers used at Nevis, here's how to deal with certificates whose authority is not recognized by the program. Other programs (such as calendar software) typically handle certificates in the same way.

Pine
If you've followed the Pine setup instructions elsewhere on this site, you don't have to do anything more. The string ssl/novalidate-cert included in the mail server identifcation tells Pine to use SSL solely for encryption, but not to try to validate the certificate against any authority.
Thunderbird (and related browsers such as Firefox, Mozilla, and Seamonkey)
When you first access the Nevis server, you'll be presented with a dialog box saying that the program does not recognize the certificate's authority, and will ask for your approval. As long as the certificate says it was issued by Nevis, just check on the option that says to accept the certificate forever. On subsequent dialog boxes, continue to select the option that says you approve the certificate.
This is a one-time setup procedure. After you've accepted the certificate, you'll never have to go through it again for that particular certificate.
Outlook (or its variations, Outlook Express and Entourage)
Microsoft mail readers are notorious for their poor handling of certificates. They may not accept an un-authorized certificate at all; even if they do, they may require your approval for each message you send or receive.
The general solution is to load the certificate into Windows. Try clicking on this link to the Nevis site certificate. Windows may take you through a "Certificate Wizard" for you to permanently approve a certificate. If it does not, copy the file to disk and open it from within Windows; this should automatically start the Certificate Wizard.
Mail.app and iCal in Mac OS X
The standard Mac approach is similar to the Windows method: Mail.app will continually question certificates that are not issued by a recognized certificate authority. The solution is the same as well: Load the certificate into the Mac OS X Keychain::
- Download the Nevis site certificate to your Mac.
- Double-click on the file NevisSite.cer to open the Keychain Access utility (in /Applications/Utilities).
- Follow the program prompts (e.g, entering your password) to add the certificate to your Keychain.
- It may be that you'll still get messages of the form "This certificate uses an authority that you do not trust." If that happens, go into the Keychain Access program, select the certificate (it will have the name *.nevis.columbia.edu, and click the small "info" button near the top of the display; it's a small blue dot with the white letter "i". In the lower pane of the display, select "Always trust" from the pop-up menus.

to the Nevis Mail Page.

to the Nevis Computing Page.

to the Nevis Home Page.

Send any comments or questions to the webmaster.