I have zero experience with setting up root and intermediate certificates on web servers. Paypal is implementing security changes for all merchants to use SHA256, TLS1.2 and this specific Verisign G5 certificate. They have set up their sandbox with new requirements so we can test our current servers and code to ensure compliance come Sept 2016. I use GoDaddy shared hosting. They have the first two in place but they use their own certificates. Paypal insists merchants must use this particular G5 root certificate and GoDaddy insists that what they have is fine. But can't get them working. All is fine with current environment. I've upgraded to a new CPanel shared hosting account to test if that can be a solution but that is not working with sandbox either. Paypal has sent me two certificates, from what I understand I have to use one for my application code and the other has to be the server root certificate. The root is what I'm having a problem with. Conflicting stances from both Paypal and GoDaddy and with Paypal Merchant Tech Support now not accepting any calls, only tickets that take days to communicate, it will put many merchants in a problem situation. Has anyone got any advice on how these certificates work, how many I actually need and how I can get the root certificate installed on GoDaddy's shared hosting platform?
After much communication and trial and error, it looks like GoDaddy's newer accounts are working fine with Paypal's sandbox. So long as the platform is TLS1.2 with SHA2(256) and there is 2048-bit encryption on their SSL, it seems to work. Paypal's documentation that specifies that the "Verisign 2048 G5 certificate must be used" should say "or equivalent".
Related
I have a question regarding signing with SSL. I need to sign an application (.exe) written in Delphi. At the same time I also want to sign an Internet Portal with which the application communicate. My question is: does signing services generally provide also the certificate for the application either the certificate for the site? Can you sign the application with the same certificate or do you need another certificate? Can you sign multiple applications with the same certificate?
Thanks in advance.
Alberto
You need 2 certificates: One for code signing (that is, signing the .exe) and one for SSL (for the website).
You can not sign the application using the same cert as your are using for SSL.
You can sign as many applications with your code signing certificate as you like.
You may or may not use the SSL cert for multiple hosts (e.g.: blog.domain.com, www.domain.com, chat.domina.com, static.domain.com...), this depends on the type of certificate you are using.
Also: Please note that you can get free SSL certificates (e.g.: LetsEncrypt provides them, and azure website can use free "managed" certs from microsoft.). However, to my knowledge, there are no free code signing certificates.
I am using let's encrypt now, and I am planning on using my own CA from now on. The usage is for personal media server and cloud storage.
Now I can install the root CA on the devices I own, but occasionally I get visitors when I share stuff. I provided the certificates to install for the visitors and not all of them do that.
My question is, is it possible to use my rootCA signed certificate if it is installed on client system/browser, or else to fallback and use let's encrypt.
Let's encrypt is good enough, but re-issuing every 3 months and verifiying domains is a pain, especially when there is no wild-card.
No. The ClientHello message doesn't include any information about recognized CAs.
I have a website that integrates with authorize.net and received a notice that they are upgrading their certificates so that they are signed using Security Hash Algorithm 2 (SHA-2). Specifically, that their API services will use EnTrust’s SHA-256, 2048-bit certificate.
It goes on: "Please contact your solution provider and web hosting company to ensure your solution has these certificates installed and is capable of using them to secure your connection to Authorize.Net. "
When users connect to the payment pages on my site, they are on a secure connection (DigiCert SHA-256 certificate), but I'm not sure if that means that my site's connection to api.authorize.net is similarly secured.
Sorry for asking what is probably a very dumb question, but how can I find out if this change will require any re-coding on my end, and how can I check that my site's certificate is going to work?
Thanks so much for your help!
I also got the notice from authorize.net, but fortunately for me our hosting site's admins took care of it. I got a similar notice from PayPal, which is also upgrading their certificates for SHA-256 compliance. In researching that one I came across this related Stack Overflow question: How can I tell if my paypal certificate is SHA-256? - PayPal service upgrades.
One answer links to this github gist which uses openssl and awk to check the installed certs. If you run it and see the certs that authorize.net has upgraded too listed, that should tell you your server will work. This is a assuming you're on a Linux server. Disclaimer: I'm no expert on dealing with SSL and servers - I'm chiming in only because no one else has.
we have a website on a dedicated server with iweb.com. Our SSL certificate is purchased through Godaddy and expiring soon, so it’s time to get it updated. Iweb has a general article on how to install ssl certificates (https://kb.iweb.com/entries/21117106-Installing-SSL-certificates) but it’s not detailed so there are still some questions about that.
GENERATING A CSR AND INSTALLING A SSL CERTIFICATE:
“In order to get a SSL certificate, you need to create a Certificate Signing Request (CSR) and send it to the Certificate Authority.”
- Does it mean I can create a certificate myself for free, and don’t have to purchase it through godaddy or any other service? If yes what is the difference? And if I already have a certificate should I skip the certificate generating step and start with the installation?
FOLLOW THIS PROCEDURE TO INSTALL THE SSL CERTIFICATE:
Under the installation steps it asks to enter the domain name for which the SSL certificate was created, will it include the ftp, email, cpanel servers as well?
And lastly, what’s going to happen with my old certificate, will it be deleted or I have to remove it manually?
Thank you!
Does it mean I can create a certificate myself for free, and don’t
have to purchase it through godaddy or any other service?
Well, you can get a self-signed one for free, But, if people are visiting your website, there will be a HUGE alert on their browser, and try to stop them from browsing.
And the Certificate Signing Request is not actually a Cert! (well, it does contain your public key, and some other information)
The difference between a self-signed and public-CA-signed one is just like your school ID and your passport, the school ID only valid in a small community, and the passport is recognized by the general public as a personal ID.
See: How to create a self-signed cert in Ubuntu with Apache Using OpenSSL
If your think the price for Godaddy is too high, you may try something cheaper like PositiveSSL or RapidSSL, which is only around 10 USD/year/domain
And there is also a free one: StartSSL
Under the installation steps it asks to enter the domain name for which the SSL certificate was created, will it include the ftp, email, cpanel servers as well?
No, just the web server you wish the general public to be able to visit.
if there is a web interface for the email (like Gmail) or CPanel, you may have to create a ssl for them as well.
And lastly, what’s going to happen with my old certificate, will it be deleted or I have to remove it manually?
You should update it. if you haven't renew and update it, the browser will try to block your visitors with a HUGE alert again after the expiration date.
I run an nginx-powered application and I recently turned my attention to using it over https. This is the module in nginx that does this: http://wiki.nginx.org/HttpSslModule
However, I'm somewhat unclear about what is actually required to run a site over https.
What else is there to do to serve my site over ssl? What is the role of the certificate, and is it a requirement that I purchase it from somewhere?
You need a certificate to prove to your user that the server they're connected to is indeed the one intended (and not a MITM attacker).
If your server is to be used by a limited number of users to whom you could give a certificate explicitly, you could use a self-signed certificate or create your own certification authority (CA).
Otherwise, if you want your certificate to be recognised by most browsers, you'll need to get one from a commercial CA.
You should find more details in this answer. You may also be interested in this.