For some sites, such as the eCAT landing page (http://web.mit.edu/ecat/ecat3), or the HR forms site (http://web.mit.edu/hr/forms/academic.html) Firefox prompts multiple times for me to select which personal certificate to use. How can I resolve this?
The default configuration in Firefox is to "Ask every time" which certificate you'd like to use. This setting is problematic for some websites, and Firefox will ask multiple times, even if you have only one personal certificate installed.
For the purpose of avoiding this behavior, you can configure Firefox to select your certificate automatically, instead of prompting you to choose one. To do this:
- Follow the menu path Tools > Options (Windows) or Firefox > Preferences (Mac).
- Select the Advanced icon.
- Select the Encryption tab.
- In the Certificates section, change the radio button to Select Automatically.
For security reasons, and depending on whether the computer is solely for your own use, it may be better to change the setting back to Ask Every Time once you have finished accessing the site.
Note: For users who do not wish to change the setting to Select One Automatically, the multiple prompts do not seem to occur in Firefox 3.5. Note that Firefox 3.5 is a recent release, and has not received much testing by MIT users. In the limited time that it has been available, We have not heard any reports of problems with the 3.5 version.
|The following information does not directly pertain to this article, but may be sueful for informationa purposes.|
This pertains to Firefox displaying the site after just one prompt for the certificate, then prompting for at regular intervals with pauses in between, for as user is viewing the site.
When an SSL client and an SSL server go through the full
negotiating a cryptographic connection (known as a
including any authentication, they establish a "session".
and server are each supposed to keep the information about
in a local store (or "cache") of sessions (typically kept in
and to reuse it in subsequent connections, rather than going
full handshake again every time.
That session is expected to last in the cache until
a) either the client or server is stopped (or restarted),
b) the client or server operator manually empties the cache,
c) the cryptographic device (if one is being used) is
c) some time limit has expired. The recommended time limit
is 24 hours,
although it's common to use 8 hour limits.
The intended effect is that a user needs to authenticate to
only once a day, or as often as he restarts his browser,
which ever comes
On an apache web server, the configuration setting to take a look
at is SSLSessionCacheTimeout.