Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I'm new to all the ssl stuff.
Is it possible to have an SSL Certificate from different SSL Certificate provider than my hosting company or the hosting and SSL Certificate must come from the same company?
For example, if I host a site in Godaddy, do I must get the SSL Certificate from then (Goddady) as well? or I can do it through some other cheaper SSL Certificate provider?
If it's possible to have SSL Certificate not from the Hosting provider, I would be happy to have a reference by links or something...
Thanks in advance.
Is it possible to have an SSL Certificate from different SSL Certificate provider than my hosting company
Yes.
Or the hosting and SSL Certificate must come from the same company?
No.
If it's possible to have SSL Certificate not from the Hosting provider
In many instances, you can get a free Class 1 server certificate Startcom or CAcert. The certificates are trusted by most desktop and mobile browsers. Class 1's are domain validated via email and don't allow wildcards. If you need a wildcard, then you'll have to purchase a Class 2 or higher. Startcom and CAcert charge for revocation, if needed.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I built a simple website for my mother's business. There is no login, database, or any sort of form or payment happening on the site. I do not have an SSL Certificate and was wondering if a self-signed one offered by cPanel hosting would suffice? I would hate to shell out money for encryption I don't need yet. The main reason I need it is so that the browsers stop blocking my https connection. Any information I can get on this would be a big help.
Rather than selecting a self-signed SSL Certificate, you better go with the Free/Trial SSL Certificate offered by some of world's leading SSL Certificate authorities like Comodo, Symantec and RapidSSL.
Why no to Self-Signed SSL Certificate?
Not accepted by most browsers
Browser will display untrusted connection error message
Why Free/Trial SSL Certificate?
Compatible with multiple servers and operating system platforms.
Accepted by 99.9% web and mobile browsers (No Error after installation)
It will give trust and confidence to users as the SSL is from verified SSL authority
Increases website reputation over internet.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
How can I show the company name (author of the certificate) instead of the plain "https" in the browser url input?
As said in comment above, the certificate you look for is SSL Certificate with Extended Validation (EV), which validates Domain ownership as well as Company identity.
This kind of SSL certificate is offered by quite a lot Certificate Authorities, such as Verisign and GoDaddy.
Reference: http://www.symantec.com/en/hk/verisign/ssl-certificates/secure-site-ev?inid=vrsn_symc_ssl_SSEV
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
What I want to do is making my website available via https without getting these browser warning that the site is not trusted.
I created an SSL certificate for my domain and configured Apache webserver to use it in default-ssl. Calling my site with https:// works, but in every browser on every device a get the message that no issuer chain was provided. In firefox like:
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
What did I understand wrong with SSL?
The certificate you get is not directly signed by the Root-CA, but by an intermediate CA, which by itself got signed by the Root-CA. You have to add this intermediate CA to the certificates your server sends to the client, because the client only trusts the Root-CA and does not now the intermediate CA.
The process is described in various places, like https://eldon.me/?p=34
You say Startcom SSL - do you mean the free one? If so - that's a normal and import behavior of these browsers (well your free certificate isn't validated - no prove that this certificate really belongs to you). I actually hope there is no way around that.
Don't get me wrong - CA's have their advantages as well as disadvantages. What you could do for your users is take part in the web of trust, yet it won't help on that topic.
What you personally can do, is view the certificate (when the warning is displayed - don't directly click for a temporary exception) and then, there is an option to permanently save an exception for that certificate.
But you have to do that on every browser (once) and just works for you, every other user visiting the site has to do the same.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have a general question. Theoretically, if you have the following trust chain: RootCA -> IntermediateCA -> MyDomainCertificate, one should verify 2 certificates in order to verify your certificate. When I send MyDomainCertificate.crt (X509v3) to someone for verification, do I have to send him the whole chain? Is the verifier able to download all intermediate certificates automatically?
This is how I hope it works:
I send MyDomainCertificate.crt to someone and he wants to verify it.
The verifier needs IntermediateCA.crt (the certificate of my issuer) in order to verify MyDomainCertificate.crt, so he downloads it automatically.
The verifier needs RootCA.crt in order to verify IntermediateCA.crt. The verifier hat this root certificate locally and completes the verification process.
Examples:
Firefox has to be able to check all server certificates. Is firefox able to download automatically all intermediate certificates, or do all servers send the complete trust chain?
If I have client authentication, does Tomcat download automatically all intermediate certificates, or do all clients send the complete trust chain for their certificates?
I hope someone can help my theory/practice confusion. Thanks!
Configuring an SSL should always include installing intermediate certificates (trust chain) Because some browsers only have the root certificate and don't have intermediate certificate, and your web server should send a copy to client of the intermediate certificate.
You can use openssl for verify your ssl configuration. Read this post:
https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 months ago.
Improve this question
I'm looking through a variety of SSL providers, but they all seem to provide "email certificates" which can double as client-certs that can be installed into a browser.
Does any company actually sell client-certificates and know what they're talking about?
X509v3 certificates can be restricted to specific uses. Some S/MIME certificates are restricted so that they can't be used for websites, but most are not.
Thawte no longer issues client certificates. My certificate from 2003 had a Cert Type" of "SSL CLient, S/MIME" indicating that they could be used for both email and for client certificates. My certificate from April 27, 2009 had only a single constraint, that it could not be used as a Certificate Authority.
Apple's iChat encryption certificate can only be used for SSL Client. You get this automatically if you are a me.com customer and enable secure iChat.
You may find that it is easiest to issue your own certificates. Many people do this and it works quite well. You will need to have the user load your own key as a CA.
A client certificate is typically only meaningful in the context a service who trusts it.
For example when a windows computer joins a domain, that client workstation generates a key pair (internally), and the domain controller signs it, and that signed pair (now becomes a cert, though not an X509 cert) and is used internally by windows. The cert is only meaningful to the domain controller.
Normally large organizations who run their own CA issue client certs to people who wan to use SSL auth to access secure sites.
The reason that client certificates are probably rare on the internet at large, is the revocation problem. For Thawte to issue you (personally) a client cert would mean that they would have to be responsible for managing revocation for it. In order for it to be cost effective, there would be a large number of certs out there; and they would constantly be being revoked, since individuals constantly individual security lapses.