Thread: extended validation certificates
View Single Post

  #2  
Old 08-25-2008, 09:20 AM
Default Re: extended validation certificates
Hello Jakob

On Monday 25 August 2008 08:51:42 Jakob Grießmann wrote:
> Hello,
>
> does anyone have a howto on how to generate a self-signed extended
> validation certificate, or on how to set-up my own CA for local use
> that gives out EVN certificates?
>
> I know how to do this for normal certificates, but was unable to find
> more details on extended validation certificates...

I take it what you are really shooting for is the fancy "make the location bar
go green, and display the company name" in a browser. Unfortunately, from my
understanding, that's not possible (and that's what make EVSSL certs actually
worth something).

From my understanding, what tells the browser to give all of those visual
clues to the user that EVSSL certs convey is as follows:

1: The Certificate is signed by an EVSSL provider, as certified by the
CA/Browser forum. (The CA have to pass an audit showing they conform to the
EVSSL Certificate policy, and submit the results to the browser writers)

2: The Certificate asserts one of the EV/SSL Certificate Policy OIDs from one
of those CAs

3: The Certificate contains the correctly formatted DN as per the Certificate
Policy promulgated by the CA/Browser forum.

So, you COULD produce a certificate that has the correctly formatted DN in it,
but aside from that, you're pretty much stuck, I'm afraid, unless you were to
completely replace one of the EVSSL Certificate providers root CA certificate
and all of the intermediate chains in the browser, and those CA certs were
all correctly formatted, and the server certificate was also correctly
formatted. And even then I'm not sure that it would work, as I've got no idea
if the browsers have some sort of checksum or hash that they compare the CA
certificate to.

Even if you were to get all of the technical bits correct, and replace the
appropriate bits in the browser, I imagine that some CA authority's legal
department may want to have a word with you for corporate impersonation.

So, no, you can't do this with a self signed certificate, no matter what the
toolkit

Have fun.

--
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org

Reply With Quote