I have a few questions about this issue:
Question 1. So the first root certificate from lets-encrypt has expired on September 30/2021. If I want my website to support lots of users in outdated systems, letsencrypt is no longer an option, right?
Question 2. What would be a viable provider to support lots of users in outdated systems like Windows 7, XP, etc...?
Question 3. What are relevant websites with letsencrypt certificates doing about this in order to support outdated clients?
Question 4. I have been unable to find any specific information on what to do about those expiring root certificates in order to keep support for outdated clients... The only thing I can think of is to change to a certificate provider whose original root certificates are not expired yet, is that the only option?
First question: depends on which systems do you want to support? there is Let's Encrypt compatibilty page for reference to look. As far is see most thing will work but certificate expiring and Android >= 2.3.6 will need its certificate chain managed. To sum up, it depend but most systems will work
Second question: To Windows 7,XP if their latest are applied they should work assuming left enabled.
Third question : They probably setting up certificate chains up to send diffirent chains depending on which device their on like on android >=2.3.6 and up to 7.1.1 should get the right chain if acme client configured and up to date
Fourth question : they can add ISRG Root X1 certificate to their devices
I work for advertising seo company. They have dedicated server and want also use SSL for the clients. They asked me to find the best option regarding that, I need help from you guys. I suppose some of you are more experienced in this.
Should they buy certificates separately for each client?
Create self signed certificate (Is there any way avoid security warnings).
Use wild card or multiple domain SSL
Other option (please suggest)
Thanks
I would recommand using LetsEncrypt.
It is free, you can do wildcard, automatic renewal every 3 month, documentation, etc.
I'm a big fan of it.
You can also use your registrar, sometimes they also sell certificates for the domain they sell. Like Gandi for example, you got 1 year free certificate with a domain, and they guide you all along on how to install it.
To begin with, I already posted the same question in serverfault.com and received no help, so I'm repeating it here out of desperation.
Recently PayPal is requiring servers to support SHA-256. Here's an article referring to this issue:
https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766&expand=true&locale=en_US
At the top of the article, it states,
Update your integration to support certificates using the SHA-256 algorithm. PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 algorithm.
We have a dedicated CentOS server with numerous sites, mostly WordPress. Quite a few use PayPal IPN but do not have dedicated IPs or SSL Certificates. What needs to be changed to the server so these sites will support SHA-256? Our server is situated with Limestone Networks so I've created a ticket and asked repeatedly for assistance to no avail. They keep repeating SSL's need to be updated on the server. Would that be a wildcase SSL certificate in the usage case I described? Any assistance would be greatly appreciated.
Based on your comments, it sounds like this is nothing to do with SHA256, but a simple CN mismatch. A certificate is only good for the names listed in it. You could try adding a subjectAltName for each of the required hosts, or a wildcard certificate for *.example.com (though I wouldn't trust one of those for my server.)
Context:
I have an application that is deployed to each client as a Virtual Machine. The latter is installed by the clients wherever they want (I don't necessarily know the final domain). The application comprises an JBoss Web Server that provides access to a configuration page, protected by SSL. Right now the server is using a self signed Certificate. However, I want the browsers to stop showing the warning messages associated to self signed certs. Moreover, I provide a free version of the application that has basic functionality.
Question:
For cases where the client is using a free version (and me wanting to reduce costs), what is the best approach when using a SSL cert, and not knowing the final domain (most of the time)?
It is acceptable to use a self-signing cert? If so, a different one
per client install?
Is it best to issue a new cert (maybe a free one) for each
deployment?
Is is acceptable to use the same cert, signed by a proper CA, on all
of the deployment VMs?
A completely different approach?
Thanks guys!
It is acceptable to use a self-signing cert? If so, a different one per client install?
Ask your clients. Will they put up with a browser warning? or not?
Is it best to issue a new cert (maybe a free one) for each deployment?
It is best for the client to acquire his own SSL certificate. You can't do that for him. Nobody can.
Is is acceptable to use the same cert, signed by a proper CA, on all of the deployment VMs?
No, it entirely defeats the purpose. The certificate and the private key it wraps are supposed to uniquely identify the holder.
A completely different approach?
Handball the whole megillah to the clients. Self-identification is their problem, not yours.
I'm setting up a webserver for a system that needs to be used only through HTTPS, on an internal network (no access from outside world)
Right now I got it setup with a self-signed certificate, and it works fine, except for a nasty warning that all browsers fire up, as the CA authority used to sign it is naturally not trusted.
Access is provided by a local DNS domain name resolved on local DNS server (example: https://myapp.local/), that maps that address to 192.168.x.y
Is there some provider that can issue me a proper certificate for use on an internal domain name (myapp.local)? Or is my only option to use a FQDN on a real domain, and later map it to a local IP address?
Note: I would like an option where it's not needed to mark the server public key as trusted on each browser, as I have not control over workstations.
You have two practical options:
Stand up your own CA. You can do it with OpenSSL and there's a lot of Google info out there.
Keep using your self-signed cert, but add the public key to your trusted certs in the browser. If you're in an Active Directory domain, this can be done automatically with group policy.
I did the following, which worked nicely for me:
I got a wildcard SSL cert for *.mydomain.com (Namecheap, for example, provide this cheaply)
I created a CNAME DNS record pointing "mybox.mydomain.com" at "mybox.local".
I hope that helps - unfortunately you'll have the expense of a wildcard cert for your domain name, but you may already have that.
You'd have to ask the typical cert people for that. For ease of use I'd get with the FQDN though, you might use a subdomain to your already registered one: https://mybox.example.com
Also you might want to look at wildcard certificates, providing a blanket cert for (e.g.) https://*.example.com/ - even usable for virtual hosting, should you need more than just this one cert.
Certifying sub- or sub-sub domains of FQDN should be standard business - maybe not for the point&click big guys that proud themselves to provide the certificates in just 2 minutes.
In short: To make the cert trusted by a workstation you'd have to either
change settings on the workstations (which you don't want) or
use an already trusted party to sign your key (which you're looking for a way around).
That's all your choices. Choose your poison.
I would have added this as a comment but it was a bit long..
This is not really an answer to your questions, but in practice I've found that it's not recommended to use a .local domain - even if it's on your "local" testing environment, with your own DNS Server.
I know that Active Directory uses the .local name by default when your install DNS, but even people at Microsoft say to avoid it.
If you have control over the DNS Server you can use a .com, .net, or .org domain - even if it's internal and private only. This way, you could actually buy the domain name that you are using internally and then buy a certificate for that domain name and apply it to your local domain.
I had a similar requirement, have our companys browsers trust our internal websites.
I didnt want our public DNS to issue public DNS for our internal sites, so the only way to make this work that I found was to use an internal CA.
Heres the writeup for this,
https://medium.com/#mike.reider/getting-firefox-chrome-to-trust-your-internal-websites-internal-certificate-authority-a53ba2d4c2af
i think the answer is NO.
out-of-the-box, browsers won't trust certificates unless it's ultimately been verified by someone pre-programmed into the browser, e.g. verisign, register.com.
you can only get a verified certificate for a globally unique domain.
so i'd suggest instead of myapp.local you use myapp.local.yourcompany.com, for which you should be able to get a certificate, provided you own yourcompany.com. it'll cost you thought, several hundred per year.
also be warned wildcard certificates might only go down to one level -- so you could use it for a.yourcompany.com and local.yourcompany.com but maybe not b.a.yourcompany.com or myapp.local.yourcompany.com, unless you pay more.
(does anyone know, does it depend on the type of wildcard certificate? are sub-sub-domains trusted by the major browsers?)
Development purpose only
This docker image solves the problem (thanks to local-ip.co): https://github.com/medic/nginx-local-ip.
It launches a reverse proxy in the port 443 with a public cert that works with any *.my.local-ip.co domain. Eg. your local IP is 192.168.10.10 → 192-168-10-10.my.local-ip.co already points to it (it's a public domain)! Assuming the app is running in your computer at the port 8080, you only need to execute this to proxy pass your app and expose it at the URL https://192-168-10-10.my.local-ip.co:
$ APP_URL=http://192.168.10.10:8080 docker-compose up
The domain is resolved with any public DNS you have configured in the devices where you want to access the app, but your traffic keeps local between your app and the client (through the proxy), so you can even use it to connect with devices within the same LAN network, without any of the traffic going out to internet, all the traffic is local.
The reason that is mostly useful for development is that anybody can launch an application with this same certificate, so is not really secure, but helpful when you need to expose your app with HTTPS while developing or testing (e.g. HTML5 apps in Android that are loaded with Webview).