When I'm trying to download certificates from one website using SSL, I found that all the certificates in the chain are same. Is that possible? If yes, what is meaning of that
Related
We use nginx for SSL termination and rotate ssl certificate yearly. But whenever we rotate we send notification to user about date and time when we are going to apply the change and they have to make changes on their end at same time. There are few enterprise tools which few customers use, and they need same certificate loaded in their trust store.
So I wanted to check if there is any way to deploy two certificates on one domain temporarily like for a week. For that period both the certificate works, so customers can move to newer certificate over that period. May be some kind of certificate chaining or something which can help us solve this problem.
PS: I am sorry if sounds too stupid, just want to listen others view on this problem.
Thanks,
GG
While it would be possible to send any number of certificates to the peer (that's what you do when sending intermediate certs) it is expected that the certificate matching the hostname is the first and the following are the chain certificates in proper order. A client will not just look into all the certificates and pick the ones which look best.
But it should be possible that you give the client the new certificate in advance and it can add this one to the list of trusted certificates, without replacing the old one. And as long as you serve the old certificate the client will find this as trusted, once you move over to the new one the client will find this as trusted too.
Even better might be to use your own CA to issue all the certificates. Then the client needs only once to install this CA as trusted and then it will automatically trust any new certificates issued by this CA, no matter if you rotate yearly or daily. This is how it works in the browsers, where google or whatever does not need to ship the new certificates to all browsers but instead these are signed by a CA trusted by the browser.
The certificate is binded exactly to the FQDN which the Users type on the address bar. If you procure a Public SSL certificates from the likes of Symantec , Digicert, Thawte, etc your clients need not update their certificate store reason being the Public Certificate Authority (CA) roots & intermediate certificates are well known and are very much a part of all the Leading OS certificate stores.
I'm having a bit of trouble understanding a bit about SSL, namely self-signed vs certified.
First, is my assumption that a self-signed certificate will still prompt the common browser warning message?
Second, data from a https domain doesn't transfer to a http domain, right? So if I had my site at domain.com, and my api at api.domain.com, I would need two certs, and have both of them setup for https?
Last, I noticed there are free SSL certs at sites like StartSSL. This feels fishy, given it can easily cost $100 for a cert at other sites. Am I wrong in being concerned?
Using a self-signed certificate will cause browser warnings. Your assumption is correct.
It depends; some browsers may warn when this occurs. But you absolutely should serve all of your services on HTTPS, so that clients can authenticate your site(s) and so that the connection is private.
It is possible to support multiple domains on a single certificate, via the Subject Alternative Name (SAN, subjectAltName) X.509 certificate extension. You could also use separate certificates.
StartSSL is trusted by all browsers; their certificates will be accepted and there is nothing "fishy" about them. You could use StartSSL's free offering to obtain two certificates - one for each domain.
If you want a single certificate for multiple domains via the SAN extension, you will have to find a product that supports that, and it will probably not be free. The Let's Encrypt initiative is working to
change the landscape in this regard, but they have not yet launched.
I had installed SSL certs one one of my cloud server by following this:
http://www.rackspace.com/knowledge_center/article/installing-an-ssl-certificate-on-apache
I am running jetpack plugin on my wordpress blog. The jetpack plugin is not getting connected to wordpress. I have talked with the Jetpack support guys and they say this:
Support Reply
"The problem is that OpenSSL doesn't recognize your certificate's Certificate Authority's certificate. The that URL works in browsers is because most modern browsers allow for certificate discovery by reading the "Authority Information Access" metadata from the certificate, which contains a URL from which the browser can download the CA's certificate. OpenSSL does not.
The best solution is if you can configure your webserver to supply the entire SSL certificate chain, rather than just your own certificate. That's what we do on WordPress.com. Sending the entire chain will also make your sites more compatible with older (and I believe some mobile) browsers."
Can any one describe me how can I install or provide entire certificate chain???
Thanks
These pages might help with setting up a CA and then creating a certificate: https://help.ubuntu.com/community/OpenSSL#SSL_Certificates
https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html
If I use SSL for my app to communicate with my server, can I use any SSL certificate, like those issued by goDaddy? I understand the reason people buy Verisign certificates(which are terribly expensive) is that they are supported by all browsers. But if I have no browser component, and the communication is between my app and my services, can I go for a cheaper one?
How SSL works
The Goal of SSL Certificates is to ensure no Man In the Middle is earsdropping on your encrypted communication. When your app is connecting to your server, your server therefore presents a certificate which tells, that the used encryption key really belongs to your server. This certificate is cryptographicly signed by a trusted party, such that the man in the middle can not forge such a certiifcate. Your app has to know the cryptographic key of the trusted party in advance to verify this signature.
Use godaddy certificates
You can use any certificate made by a trusted party which is known by your app. If you include the godaddy cryptographic key (called root certificate) in your app you can use godaddy certificates.
Use your own zero cost certificate
For you and your app, you yourself can be a trusted party for certificate signing. You can use your own self generated certificate without paying anyone for it. You only need to include your own certificate in your app. You can find a tutorial on how to generate a self signed certificate at http://www.akadia.com/services/ssh_test_certificate.html .
I created ssl certificate using IIS 5.1 and generated a file certreq.txt. Now what is the next step to use this file. I am a developer and working on a site that is host on my local machine. Is is necessary to get license from any CA?
Please guide me ASAP.
You can create a self-signed cert, but that will not be very elegant for end users if this is a public website as there is the prompt about cert validity. Otherwise, yes you need to obtain a cert from a CA. I find the best is Verisign, although DEFINITELY not the cheapest. Others are Godaddy, CheapDomain, and pretty much any registrar can help with it.
The link is for 5.1, but you can find tutorials on all versions. For testing I would go the self signed route.
The certificate generated from IIS, is a self-signed certificate, which can be used to test your website. However, if you run a public website from a self-signed certificate, every user will get a warning that the site is not safe. You will eventually need to get a license from a CA when you are ready to publish your site. Your domain host should provide an SSL certificate service, for something like $50-150/yr.
You can either self sign the certificate or send it to the CA to avoid the do-not-trust this site prompt. SSLTools Manager is a nifty app that can send your csr to a CA. Not sure about the self-signing feature though.