FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian ISP

 
 
LinkBack Thread Tools
 
Old 04-03-2008, 03:35 PM
"Dusty Wilson"
 
Default EV SSL Certificates, make our own?

Is there a way to make our own EV SSL Certificates?

I like the fact that when you're on a site with an EV SSL Cert in
Firefox 3 that the location bar turns green and shows extra
information. My goal is to be able to provide that same thing for our
internal users on our official/internal sites. These certs would be
signed by our company's certificate authority (or make a new EV
certificate authority if necessary).

Thanks,
Dusty


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-05-2008, 09:32 AM
"Dusty Wilson"
 
Default EV SSL Certificates, make our own?

On Thu, Apr 3, 2008 at 10:35 AM, Dusty Wilson <dusty@hey.nu> wrote:
> Is there a way to make our own EV SSL Certificates?

I'll rephrase it since I haven't heard any responses. Is there
something special about an EV SSL cert or is it just a regular old SSL
cert with an extra attribute or flag? I've searched all over the net
for a resource to help me on this, but I've hit a dead end. Any
suggestions?

Thanks,
Dusty


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-05-2008, 10:31 AM
Gavin Westwood
 
Default EV SSL Certificates, make our own?

On 05/04/08 10:32, Dusty Wilson wrote:

On Thu, Apr 3, 2008 at 10:35 AM, Dusty Wilson <dusty@hey.nu> wrote:


Is there a way to make our own EV SSL Certificates?



I'll rephrase it since I haven't heard any responses. Is there
something special about an EV SSL cert or is it just a regular old SSL
cert with an extra attribute or flag? I've searched all over the net
for a resource to help me on this, but I've hit a dead end. Any
suggestions?



I hadn't heard of Extended Validation SSL Certificates before, but
reading the Wikipedia
entry, it sounds like it isn't something that you can really do
yourself, but from the article: "The primary way to identify an EV
certificate is by referencing the Certificate Policies extension field",
so you could experiment with that, presumably adding a custom
certificate authorities to your internal clients web browsers...



Good luck.



Gavin



--



Gavin Westwood

Solutium



http://www.solutium.net - Going the extra mile to provide a fast,
helpful, reliable Web Hosting service.
 
Old 04-05-2008, 04:10 PM
"Dusty Wilson"
 
Default EV SSL Certificates, make our own?

> > On Thu, Apr 3, 2008 at 10:35 AM, Dusty Wilson <dusty@hey.nu> wrote:
> > > Is there a way to make our own EV SSL Certificates?
> >
> On Sat, 2008-04-05 at 04:32 -0500, Dusty Wilson wrote:
> > I'll rephrase it since I haven't heard any responses. Is there
> > something special about an EV SSL cert or is it just a regular old SSL
> > cert with an extra attribute or flag? I've searched all over the net
> > for a resource to help me on this, but I've hit a dead end. Any
> > suggestions?
> >
On Sat, Apr 5, 2008 at 4:49 AM, Shane Chrisp <shane@2000cn.com.au> wrote:
> Maybe have a look at www.cacert.org. Im not sure if there 'is' any
> difference but if any place would know, they should, and its worth being
> a member there to get free ssl certs anyway.

<offtopic>
I'm both an existing user and a financial contributor to the
cacert.org project. If anyone out there doesn't know about them, give
them a look! Free certs are great, but their paid certs are worth
every penny. You pay them to verify your identity and in exchange,
you can make as many certs as you want for a specified time. Support
these guys if you can. Also, AFAIK their certs are trusted in every
browser but IE.
</offtopic>

I haven't seen any mention of EV SSL on their site. I may just shoot
them an email to see if they have any input on this. Thanks for your
suggestion... I don't know why I didn't think of it myself.

Thanks,
Dusty


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-05-2008, 04:15 PM
Marcin Sochacki
 
Default EV SSL Certificates, make our own?

On Thu, Apr 03, 2008 at 10:35:27AM -0500, Dusty Wilson wrote:
> Is there a way to make our own EV SSL Certificates?
>
> I like the fact that when you're on a site with an EV SSL Cert in
> Firefox 3 that the location bar turns green and shows extra
> information. My goal is to be able to provide that same thing for our
> internal users on our official/internal sites. These certs would be
> signed by our company's certificate authority (or make a new EV
> certificate authority if necessary).

Maybe this will be helpful (never tried it myself):
http://urbansensors.wordpress.com/2007/08/29/generating-extended-validation-ev-s
sl-certificates/

--
+---------------------------------------+
| -o) http://wanted.eu.org/
| / Message void if penguin violated
+ _\_V Don't mess with the penguin


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-05-2008, 04:17 PM
"Dusty Wilson"
 
Default EV SSL Certificates, make our own?

> On Sat, Apr 5, 2008 at 10:32 AM, Dusty Wilson <dusty@hey.nu> wrote:
> > I'll rephrase it since I haven't heard any responses. Is there
> > something special about an EV SSL cert or is it just a regular old SSL
> > cert with an extra attribute or flag? I've searched all over the net
> > for a resource to help me on this, but I've hit a dead end. Any
> > suggestions?
> >
On Sat, Apr 5, 2008 at 5:39 AM, Frederik Kriewitz <frederik@kriewitz.eu> wrote:
> There's no real difference on the technical site between the normal and EV
> certs. In Firefox 3 beta 5 EV OIDs are hard coded.
> So you will have to recompile FF and deploy the modified Version.

Oh no. That's the nail in the coffin right there. Does anyone know
of any plans to have these *not* hard-coded? I can imagine that maybe
the goal is to prevent some sort of accidental trust, but hard-coding
just doesn't feel right at all to me.

Thanks Frederik; your response on this was very helpful.

(following left in for the benefit of the list)
> Currently there are 7 EV OIDs listed:
> From mozilla/security/manager/ssl/src nsIdentityChecking.cpp:
> struct nsMyTrustedEVInfo
> {
> char *dotted_oid;
> char *oid_name; // Set this to null to signal an invalid structure,
> // (We can't have an empty list, so we'll use a dummy
> entry)
> SECOidTag oid_tag;
> char *ev_root_sha1_fingerprint;
> char *issuer_base64;
> char *serial_base64;
> CERTCertificate *cert;
> };
>
> static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
> {
> // OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group,
> Inc.",C=US
> "2.16.840.1.114413.1.7.23.3",
> "Go Daddy EV OID a",
> SEC_OID_UNKNOWN,
> "27:96:BA:E6:3F:18:01:E2:77:26:1B:A07:77:70:02:8 F:20:EE:E4",
> "MGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZ HkgR3JvdXAsIElu"
> "Yy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlma WNhdGlvbiBBdXRo"
> "b3JpdHk=",
> "AA==",
> nsnull
> },
> {
> // E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation
> Network
> "2.16.840.1.114413.1.7.23.3",
> "Go Daddy EV OID a",
> SEC_OID_UNKNOWN,
> "31:7A:2A0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7 8:F1:FC:A6",
> "MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ld HdvcmsxFzAVBgNV"
> "BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2Vyd CBDbGFzcyAyIFBv"
> "bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYa HR0cDovL3d3dy52"
> "YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhb GljZXJ0LmNvbQ==",
> "AQ==",
> nsnull
> },
> {
> // E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation
> Network
> "2.16.840.1.114414.1.7.23.3",
> "Go Daddy EV OID b",
> SEC_OID_UNKNOWN,
> "31:7A:2A0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7 8:F1:FC:A6",
> "MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ld HdvcmsxFzAVBgNV"
> "BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2Vyd CBDbGFzcyAyIFBv"
> "bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYa HR0cDovL3d3dy52"
> "YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhb GljZXJ0LmNvbQ==",
> "AQ==",
> nsnull
> },
> {
> // OU=Starfield Class 2 Certification Authority,O="Starfield
> Technologies, Inc.",C=US
> "2.16.840.1.114414.1.7.23.3",
> "Go Daddy EV OID b",
> SEC_OID_UNKNOWN,
> "AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C30:E3:3 7:0E:B5:8A",
> "MGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgV GVjaG5vbG9naWVz"
> "LCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZ XJ0aWZpY2F0aW9u"
> "IEF1dGhvcml0eQ==",
> "AA==",
> nsnull
> },
> {
> // CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert
> Inc,C=US
> "2.16.840.1.114412.2.1",
> "DigiCert EV OID",
> SEC_OID_UNKNOWN,
> "5F:B7:EE:06:33:E2:59B:AD:0C:4C:9A:E63:8F:1A:6 1:C7C:25",
> "MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJb mMxGTAXBgNVBAsT"
> "EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0I EhpZ2ggQXNzdXJh"
> "bmNlIEVWIFJvb3QgQ0E=",
> "AqxcJmoLQJuPC3nyrkYldw==",
> nsnull
> },
> {
> // CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
> "1.3.6.1.4.1.8024.0.2.100.1.2",
> "Quo Vadis EV OID",
> SEC_OID_UNKNOWN,
> "CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:1 9:93:7C:F7",
> "MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMa W1pdGVkMRswGQYD"
> "VQQDExJRdW9WYWRpcyBSb290IENBIDI=",
> "BQk=",
> nsnull
> },
> {
> // OU=Class 3 Public Primary Certification Authority,O="VeriSign,
> Inc.",C=US
> "2.16.840.1.113733.1.7.23.6",
> "Verisign EV OID",
> SEC_OID_UNKNOWN,
> "74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3 E:61:74:E2",
> "MF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgS W5jLjE3MDUGA1UE"
> "CxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0a W9uIEF1dGhvcml0"
> "eQ==",
> "cLrkHRDZKTS2OMp7A8y6vw==",
> nsnull
> },
> {
> // OU=Sample Certification Authority,O="Sample, Inc.",C=US
> "0.0.0.0",
> 0, // for real entries use a string like "Sample INVALID EV OID"
> SEC_OID_UNKNOWN,
> "00:11:22:33:44:55:66:77:88:99:AA:BB:CCD:EE:FF:0 0:11:22:33"
> "Cg==",
> "Cg==",
> nsnull
> }
> };
>


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-05-2008, 06:27 PM
Micah Anderson
 
Default EV SSL Certificates, make our own?

* Dusty Wilson <dusty@hey.nu> [2008-04-05 09:11-0400]:
> <offtopic>
> I'm both an existing user and a financial contributor to the
> cacert.org project. If anyone out there doesn't know about them, give
> them a look! Free certs are great, but their paid certs are worth
> every penny. You pay them to verify your identity and in exchange,
> you can make as many certs as you want for a specified time. Support
> these guys if you can. Also, AFAIK their certs are trusted in every
> browser but IE.
> </offtopic>

CAcert is great, I'm also a user. However, their certs are *not* trusted
in every browser but IE. They have not completed their 3rd party audit
that would enable them to be included in Firefox/Mozilla products. They
are available in debian in the ca-certificates package, but without that
installed, or if you have a user not running Debian, then you have to
install their root otherwise the user is prompted (and I've heard that
on XP it flat-out refuses to continue).

The following are the latest on the status of inclusion:

https://bugzilla.mozilla.org/show_bug.cgi?id=215243
http://wiki.cacert.org/wiki/InclusionStatus

Micah
 
Old 04-05-2008, 08:56 PM
"Dusty Wilson"
 
Default EV SSL Certificates, make our own?

> * Dusty Wilson <dusty@hey.nu> [2008-04-05 09:11-0400]:
> > <offtopic>
> > I'm both an existing user and a financial contributor to the
> > cacert.org project. If anyone out there doesn't know about them, give
> > them a look! Free certs are great, but their paid certs are worth
> > every penny. You pay them to verify your identity and in exchange,
> > you can make as many certs as you want for a specified time. Support
> > these guys if you can. Also, AFAIK their certs are trusted in every
> > browser but IE.
> > </offtopic>

On Sat, Apr 5, 2008 at 1:27 PM, Micah Anderson <micah@riseup.net> wrote:
> CAcert is great, I'm also a user. However, their certs are *not* trusted
> in every browser but IE. They have not completed their 3rd party audit
> that would enable them to be included in Firefox/Mozilla products. They
> are available in debian in the ca-certificates package, but without that
> installed, or if you have a user not running Debian, then you have to
> install their root otherwise the user is prompted (and I've heard that
> on XP it flat-out refuses to continue).

Ah ha! I'm a heavy Debian user and don't really live outside of it.
I do know I used Firefox on Windows one time and the cert wasn't
trusted. I had assumed it may have been an old version of Firefox to
blame. Thank you for the correction.

> The following are the latest on the status of inclusion:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=215243
> http://wiki.cacert.org/wiki/InclusionStatus


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-05-2008, 09:02 PM
"Dusty Wilson"
 
Default EV SSL Certificates, make our own?

> On Thu, Apr 03, 2008 at 10:35:27AM -0500, Dusty Wilson wrote:
> > Is there a way to make our own EV SSL Certificates?
> >
> > I like the fact that when you're on a site with an EV SSL Cert in
> > Firefox 3 that the location bar turns green and shows extra
> > information. My goal is to be able to provide that same thing for our
> > internal users on our official/internal sites. These certs would be
> > signed by our company's certificate authority (or make a new EV
> > certificate authority if necessary).

On Sat, Apr 5, 2008 at 11:15 AM, Marcin Sochacki <wanted@gnu.univ.gda.pl> wrote:
> Maybe this will be helpful (never tried it myself):
> http://urbansensors.wordpress.com/2007/08/29/generating-extended-validation-ev-s
> sl-certificates/

Thanks for this link, Marcin. This makes it look promising for those
with IE deployed and used. Good link to have. I believe it'll be a
good stepping stone to move forward. Thanks.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 05:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org