[ale] SSL Certificates

[mike at trausch.us]

On 09/20/2012 04:25 PM, Ben Coleman wrote:
> I've played with the free StartCom Level 1, but have been a little put
> off by having to put intermediate certificates in the browser or email
> client to have the certificates recognized.  Is this also true at Level
> 2, or is there a way around it?

This is because it is the responsibility of the WEB SERVER to establish
the chain to the root certificate.

The way that this works is that the Web browser has trusted roots, and
some of those roots aren't used for directly signing keys; instead,
there are CA certificates that are signed by the root cert.  These are
called "intermediary certificates", or often in the case where there is
more than one, "intermediary bundles".  You have to install these at
least for GD and StartCom certs, and I'm sure many/most others.

If you do NOT install the intermediary on the Web server, then the
browser will see it as untrusted because it cannot establish the chain
of trust to the root.

To make matters worse, caching can hide these sorts of problems.

For example, imagine you visit any of my sites that are secured with a
StartCom cert.  They have the intermediate bundle installed.  Then you
visit a Web server that doesn't have the intermediate bundle installed;
the Web server won't provide it, but the Web client will recognize it as
valid anyway, because the bundle is cached.

Install all the bundles and such.

See https://www.startssl.com/?app=21 for instructions for Apache (note
the SSLCertificateChainFile directive).

	--- Mike

-- 
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
                                   --- Carveth Read, “Logic”

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 726 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20120920/29687b8a/attachment.bin