PayPal recently announced that they upgrade the certificate to SHA-256 with VeriSign G5 Root Certificate.
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US
Does AppHarbor have this root certificate installed?
Does it support SHA-256?
Thank you
Yes SHA-256 is supported, and root certificates are updated regularly and automatically. I can also confirm that the VeriSign G5 Root Certificate mentioned in the PayPal article is installed and trusted on the platform.
Related
I want to implement Signed Exchange within my website. I know that, in production, a certificate with the CanSignHttpExchanges extension is needed for the signed exchange. My website is hosted on AWS and I have bought the SSL certificate of my domain from SSL Store. Now I want to buy certificate from Google CA so that I can get support of CanSignHttpExchanges extension.
Now, my questions are :
if I buy a certificate from Gooogle CA, then does the support of "CanSignHttpExchanges" extension comes by default? If not, how can I get the support?
How can I add the certificate in my website?
Is there a way to auto update the certificate periodically?
Google does not sell SSL certificates. AFAIK only Digicert sells (provides) certificates with CanSignHttpExchanges.
Consult the Digicert documentation as the purchase, Certificate Signing Request and installation requires knowing the web server type and DNS provider to determine the steps. You must use ECC TLS certificates.
Get your Signed HTTP Exchanges certificate
You must replace the certificate every 90 days or sooner. The payment can be auto-rewewing. Digicert supports the ACME protocol, which requires creating an ACME Directory URL for Signed HTTP Exchanges certificate. Provided that your account has paid for the certificate, an ACME client can download and install the new certificate.
ACME Directory URLs for Signed HTTP Exchange certificates
Only DV and EV certificates include the CanSignHttpExchanges feature. This requires validating your domain and your company identity. OV is easier, and EV is verification is fairly strict. You will need your identity, phone and address details, and company information documents to be in good order and verifiable.
I do not find the letsencrypt certificate in the trusted list published by Sonos (http://musicpartners.sonos.com/node/339 - CERTIFICATE AUTHORITIES TRUSTED BY SONOS PLAYERS).
Do you if Sonos supports the https://letsencrypt.org certificates even if they are not listed (yet)?
Thanks.
Let's Encrypt is cross-signed by DST Root CA X3, who we trust (https://letsencrypt.org/certificates/), so it's OK to use it. We do have some partners that use Let's Encrypt.
I recently added SSL to my site (www.uberwriteronline.com) and my PayPal IPN stopped working. I learned that my SSL cert didn't meet PayPal's standards. https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766&expand=true&locale=en_US
I had a SHA-2 certificate, but it was being signed by a GoDaddy G2 root certificate. I'm not clear on how to regenerate the CSR using the G5 root certificate. I installed the G5 root certificate on my machine from https://knowledge.verisign.com/support/mpki-for-ssl-support/index?page=content&actp=CROSSLINK&id=SO5624 but when I regenerate the CSR it still points to G2. Sorry for the noob question, but how to I get this to use the G5 root?
I am currently developping a Windows 8 metro app. This app will not be available in the Martketplace but will be distributed by sideloading.
For this it is necessary to sign the app with a certificate and import the same certificate on the client machine.
I never made such a certificate? How should I proceed?
I also read the publisher name of the app should be the same as the publisher name in the certificate...
Who knows how to make such a certificate? A commercial certificate from for example Verisign is currently not an option.
If a commercial (payed for) certificate is not an option there are three other ways to get a certificate:
1) If your company has an own root certificate (trusted by a public Certificate Authority like VeriSign) you (or an admin) can derive a software signing certificate from that.
2) Your company could setup an own certificate server to issue own certificates. If the certificates are only used inside the company and the root certificate is trusted (imported in the certificate store for trusted root authorities) on all machines you could use a software signing certificate derived from the root certificate. See http://www.esecurityplanet.com/network-security/how-to-run-your-own-certificate-authority.html.
3) You could use a self signed test certificate that is not derived from a root certificate. Use makecert to create one (see How do I create a self-signed certificate for code signing on Windows?). When installing the App the user will be asked if he trusts this certificate that has no known publisher.
I just installed an SSL on Plesk, and when I go to https://www.example.com in Chrome, I get the error below:
This CA Root Certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities Store.
Sort of defeats the purpose of having an SSL. Any idea how I can make this message go away?
I bought the SSL from GoDaddy, which I would expect to be a trusted authority.
This issue occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority (GoDaddy) provides a bundle of chained certificates that should be chained with the server certificate to address this issue of lack of trust. Unfortunately, GoDaddy does not provide any documentation on this front. You should have received two different certificates from GoDaddy, one for your server, and the bundle. Depending on your server, this is what the configuration would look like:
For Apache:
Specify each certificate in its own directive:
SSLCertificateFile /path/to/cert/www.example.com.crt
SSLCertificateChainFile /path/to/cert/bundle.crt
For Nginx, documented here:
Both certificates should be concatenated, first the server, then the bundle:
cat www.example.com.crt bundle.crt > www.example.com.chained.crt
And then use www.example.com.chained.crt in your server ssl_certificate directive:
ssl_certificate www.example.com.chained.crt
GoDaddy is recognized on Windows operating systems, because the GoDaddy root certificate is pre-installed on Windows. But GoDaddy will not be automatically recognized in many contexts and would need to be manually configured by users (which is not a trivial task). IPhone, for example, will not trust GoDaddy certificates out of the box. You may consider getting certificate from established certificate authorities such as Verisgn or Thawte, but they will be more expensive.
#John: GoDaddy is a registrar/webhost, I believe their certificates are just reseller certs. You don't need to go expensive to get compatibility as #Jaro suggests. I've deployed several RapidSSL certificates that are recognized by Chrome/iOS and Safari/iOS without user intervention and are much cheaper than the higher-insurance certificates like Symantec/VeriSign.
The only way to make that message go away, is by buying a real certificate from a trusted authority.