Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
Can someone please point me to good articles on understanding the 'key usage' property of a ssl certificate? what are the pros and cons of getting a certificate issued with 'Data Encipherment' as one of the values?
Is this recommended? Recently we had to host a web service on our site, to be consumed by a third party and one of their requirements is that the certificate must have 'Data encipherment' in 'key usage'. Currently our site already has ssl, but key usage doesn't have 'data encipherment'.
Will there be any noticeable slowness if say we buy a new certificate with data encipherment and replace the current site certificate with the new one?
You can read the spec, RFC 5280 4.2.1.3. Basically Key Usage is just bits set on the certificate that restrict what the certificate authority certifies using the key for. It should not affect SSL performance - I don't believe SSL even allows for Data Encipherment (using the public key to encrypt data versus using it to establish a symmetric key for data).
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I built a simple website for my mother's business. There is no login, database, or any sort of form or payment happening on the site. I do not have an SSL Certificate and was wondering if a self-signed one offered by cPanel hosting would suffice? I would hate to shell out money for encryption I don't need yet. The main reason I need it is so that the browsers stop blocking my https connection. Any information I can get on this would be a big help.
Rather than selecting a self-signed SSL Certificate, you better go with the Free/Trial SSL Certificate offered by some of world's leading SSL Certificate authorities like Comodo, Symantec and RapidSSL.
Why no to Self-Signed SSL Certificate?
Not accepted by most browsers
Browser will display untrusted connection error message
Why Free/Trial SSL Certificate?
Compatible with multiple servers and operating system platforms.
Accepted by 99.9% web and mobile browsers (No Error after installation)
It will give trust and confidence to users as the SSL is from verified SSL authority
Increases website reputation over internet.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I'm new to all the ssl stuff.
Is it possible to have an SSL Certificate from different SSL Certificate provider than my hosting company or the hosting and SSL Certificate must come from the same company?
For example, if I host a site in Godaddy, do I must get the SSL Certificate from then (Goddady) as well? or I can do it through some other cheaper SSL Certificate provider?
If it's possible to have SSL Certificate not from the Hosting provider, I would be happy to have a reference by links or something...
Thanks in advance.
Is it possible to have an SSL Certificate from different SSL Certificate provider than my hosting company
Yes.
Or the hosting and SSL Certificate must come from the same company?
No.
If it's possible to have SSL Certificate not from the Hosting provider
In many instances, you can get a free Class 1 server certificate Startcom or CAcert. The certificates are trusted by most desktop and mobile browsers. Class 1's are domain validated via email and don't allow wildcards. If you need a wildcard, then you'll have to purchase a Class 2 or higher. Startcom and CAcert charge for revocation, if needed.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
What I want to do is making my website available via https without getting these browser warning that the site is not trusted.
I created an SSL certificate for my domain and configured Apache webserver to use it in default-ssl. Calling my site with https:// works, but in every browser on every device a get the message that no issuer chain was provided. In firefox like:
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
What did I understand wrong with SSL?
The certificate you get is not directly signed by the Root-CA, but by an intermediate CA, which by itself got signed by the Root-CA. You have to add this intermediate CA to the certificates your server sends to the client, because the client only trusts the Root-CA and does not now the intermediate CA.
The process is described in various places, like https://eldon.me/?p=34
You say Startcom SSL - do you mean the free one? If so - that's a normal and import behavior of these browsers (well your free certificate isn't validated - no prove that this certificate really belongs to you). I actually hope there is no way around that.
Don't get me wrong - CA's have their advantages as well as disadvantages. What you could do for your users is take part in the web of trust, yet it won't help on that topic.
What you personally can do, is view the certificate (when the warning is displayed - don't directly click for a temporary exception) and then, there is an option to permanently save an exception for that certificate.
But you have to do that on every browser (once) and just works for you, every other user visiting the site has to do the same.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I just started today with worklight and try to connect a RESTFul API. The server (which I don't own) I would like to reach use ssl with a self-signed certificate. I imported the certificate in my cacert following the procedure defined in the worklight documentation.
Now, I have the following error when I try the RESTFul API:
"errors": [ "Runtime: Http request failed: javax.net.ssl.SSLException:
hostname in certificate didn't match:
In many http java implementation there is a way to disable the hostname verification but don't find it how to do it when using worklight.
Any tip?
As this question has been close because it is off topic, could you tell me where I post questions and get support on IBM Worklight?
Many Thanks
See this article regardin self signed certificates.
http://pic.dhe.ibm.com/infocenter/wrklight/v5r0m5/index.jsp?topic=%2Fcom.ibm.worklight.help.doc%2Fadmin%2Ft_ibm_worklight_server_and_self-signed_certificates.html
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I have a general question. Theoretically, if you have the following trust chain: RootCA -> IntermediateCA -> MyDomainCertificate, one should verify 2 certificates in order to verify your certificate. When I send MyDomainCertificate.crt (X509v3) to someone for verification, do I have to send him the whole chain? Is the verifier able to download all intermediate certificates automatically?
This is how I hope it works:
I send MyDomainCertificate.crt to someone and he wants to verify it.
The verifier needs IntermediateCA.crt (the certificate of my issuer) in order to verify MyDomainCertificate.crt, so he downloads it automatically.
The verifier needs RootCA.crt in order to verify IntermediateCA.crt. The verifier hat this root certificate locally and completes the verification process.
Examples:
Firefox has to be able to check all server certificates. Is firefox able to download automatically all intermediate certificates, or do all servers send the complete trust chain?
If I have client authentication, does Tomcat download automatically all intermediate certificates, or do all clients send the complete trust chain for their certificates?
I hope someone can help my theory/practice confusion. Thanks!
Configuring an SSL should always include installing intermediate certificates (trust chain) Because some browsers only have the root certificate and don't have intermediate certificate, and your web server should send a copy to client of the intermediate certificate.
You can use openssl for verify your ssl configuration. Read this post:
https://major.io/2012/02/07/using-openssls-s_client-command-with-web-servers-using-server-name-indication-sni/