EV SSL Certificates, make our own? - Debian

This is a discussion on EV SSL Certificates, make our own? - Debian ; Is there a way to make our own EV SSL Certificates? I like the fact that when you're on a site with an EV SSL Cert in Firefox 3 that the location bar turns green and shows extra information. My ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: EV SSL Certificates, make our own?

  1. EV SSL Certificates, make our own?

    Is there a way to make our own EV SSL Certificates?

    I like the fact that when you're on a site with an EV SSL Cert in
    Firefox 3 that the location bar turns green and shows extra
    information. My goal is to be able to provide that same thing for our
    internal users on our official/internal sites. These certs would be
    signed by our company's certificate authority (or make a new EV
    certificate authority if necessary).

    Thanks,
    Dusty


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: EV SSL Certificates, make our own?

    On Thu, Apr 3, 2008 at 10:35 AM, Dusty Wilson wrote:
    > Is there a way to make our own EV SSL Certificates?


    I'll rephrase it since I haven't heard any responses. Is there
    something special about an EV SSL cert or is it just a regular old SSL
    cert with an extra attribute or flag? I've searched all over the net
    for a resource to help me on this, but I've hit a dead end. Any
    suggestions?

    Thanks,
    Dusty


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: EV SSL Certificates, make our own?

    On 05/04/08 10:32, Dusty Wilson wrote:
    > On Thu, Apr 3, 2008 at 10:35 AM, Dusty Wilson wrote:
    >
    >> Is there a way to make our own EV SSL Certificates?
    >>

    >
    > I'll rephrase it since I haven't heard any responses. Is there
    > something special about an EV SSL cert or is it just a regular old SSL
    > cert with an extra attribute or flag? I've searched all over the net
    > for a resource to help me on this, but I've hit a dead end. Any
    > suggestions?


    I hadn't heard of Extended Validation SSL Certificates before, but
    reading the Wikipedia entry
    , it
    sounds like it isn't something that you can really do yourself, but from
    the article: "/The primary way to identify an EV certificate is by
    referencing the Certificate Policies extension field/", so you could
    experiment with that, presumably adding a custom certificate authorities
    to your internal clients web browsers...

    Good luck.

    Gavin

    --

    Gavin Westwood
    Solutium

    http://www.solutium.net - Going the extra mile to provide a fast,
    helpful, reliable Web Hosting service.



  4. Re: EV SSL Certificates, make our own?

    > > On Thu, Apr 3, 2008 at 10:35 AM, Dusty Wilson wrote:
    > > > Is there a way to make our own EV SSL Certificates?

    > >

    > On Sat, 2008-04-05 at 04:32 -0500, Dusty Wilson wrote:
    > > I'll rephrase it since I haven't heard any responses. Is there
    > > something special about an EV SSL cert or is it just a regular old SSL
    > > cert with an extra attribute or flag? I've searched all over the net
    > > for a resource to help me on this, but I've hit a dead end. Any
    > > suggestions?
    > >

    On Sat, Apr 5, 2008 at 4:49 AM, Shane Chrisp wrote:
    > Maybe have a look at www.cacert.org. Im not sure if there 'is' any
    > difference but if any place would know, they should, and its worth being
    > a member there to get free ssl certs anyway.



    I'm both an existing user and a financial contributor to the
    cacert.org project. If anyone out there doesn't know about them, give
    them a look! Free certs are great, but their paid certs are worth
    every penny. You pay them to verify your identity and in exchange,
    you can make as many certs as you want for a specified time. Support
    these guys if you can. Also, AFAIK their certs are trusted in every
    browser but IE.


    I haven't seen any mention of EV SSL on their site. I may just shoot
    them an email to see if they have any input on this. Thanks for your
    suggestion... I don't know why I didn't think of it myself.

    Thanks,
    Dusty


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: EV SSL Certificates, make our own?

    > On Sat, Apr 5, 2008 at 10:32 AM, Dusty Wilson wrote:
    > > I'll rephrase it since I haven't heard any responses. Is there
    > > something special about an EV SSL cert or is it just a regular old SSL
    > > cert with an extra attribute or flag? I've searched all over the net
    > > for a resource to help me on this, but I've hit a dead end. Any
    > > suggestions?
    > >

    On Sat, Apr 5, 2008 at 5:39 AM, Frederik Kriewitz wrote:
    > There's no real difference on the technical site between the normal and EV
    > certs. In Firefox 3 beta 5 EV OIDs are hard coded.
    > So you will have to recompile FF and deploy the modified Version.


    Oh no. That's the nail in the coffin right there. Does anyone know
    of any plans to have these *not* hard-coded? I can imagine that maybe
    the goal is to prevent some sort of accidental trust, but hard-coding
    just doesn't feel right at all to me.

    Thanks Frederik; your response on this was very helpful.

    (following left in for the benefit of the list)
    > Currently there are 7 EV OIDs listed:
    > From mozilla/security/manager/ssl/src nsIdentityChecking.cpp:
    > struct nsMyTrustedEVInfo
    > {
    > char *dotted_oid;
    > char *oid_name; // Set this to null to signal an invalid structure,
    > // (We can't have an empty list, so we'll use a dummy
    > entry)
    > SECOidTag oid_tag;
    > char *ev_root_sha1_fingerprint;
    > char *issuer_base64;
    > char *serial_base64;
    > CERTCertificate *cert;
    > };
    >
    > static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
    > {
    > // OU=Go Daddy Class 2 Certification Authority,O=\"The Go Daddy Group,
    > Inc.\",C=US
    > "2.16.840.1.114413.1.7.23.3",
    > "Go Daddy EV OID a",
    > SEC_OID_UNKNOWN,
    > "27:96:BA:E6:3F:18:01:E2:77:26:1B:A07:77:70:02:8F:20:EE:E4",
    > "MGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZH kgR3JvdXAsIElu"
    > "Yy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaW NhdGlvbiBBdXRo"
    > "b3JpdHk=",
    > "AA==",
    > nsnull
    > },
    > {
    > // E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
    > Policy Validation Authority,O=\"ValiCert, Inc.\",L=ValiCert Validation
    > Network
    > "2.16.840.1.114413.1.7.23.3",
    > "Go Daddy EV OID a",
    > SEC_OID_UNKNOWN,
    > "31:7A:2A0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B78:F1:FC:A6",
    > "MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldH dvcmsxFzAVBgNV"
    > "BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydC BDbGFzcyAyIFBv"
    > "bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaH R0cDovL3d3dy52"
    > "YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbG ljZXJ0LmNvbQ==",
    > "AQ==",
    > nsnull
    > },
    > {
    > // E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
    > Policy Validation Authority,O=\"ValiCert, Inc.\",L=ValiCert Validation
    > Network
    > "2.16.840.1.114414.1.7.23.3",
    > "Go Daddy EV OID b",
    > SEC_OID_UNKNOWN,
    > "31:7A:2A0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B78:F1:FC:A6",
    > "MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldH dvcmsxFzAVBgNV"
    > "BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydC BDbGFzcyAyIFBv"
    > "bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaH R0cDovL3d3dy52"
    > "YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbG ljZXJ0LmNvbQ==",
    > "AQ==",
    > nsnull
    > },
    > {
    > // OU=Starfield Class 2 Certification Authority,O=\"Starfield
    > Technologies, Inc.\",C=US
    > "2.16.840.1.114414.1.7.23.3",
    > "Go Daddy EV OID b",
    > SEC_OID_UNKNOWN,
    > "AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C30:E3:37:0E:B5:8A",
    > "MGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVG VjaG5vbG9naWVz"
    > "LCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZX J0aWZpY2F0aW9u"
    > "IEF1dGhvcml0eQ==",
    > "AA==",
    > nsnull
    > },
    > {
    > // CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert
    > Inc,C=US
    > "2.16.840.1.114412.2.1",
    > "DigiCert EV OID",
    > SEC_OID_UNKNOWN,
    > "5F:B7:EE:06:33:E2:59B:AD:0C:4C:9A:E63:8F:1A:61:C7C:25",
    > "MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbm MxGTAXBgNVBAsT"
    > "EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IE hpZ2ggQXNzdXJh"
    > "bmNlIEVWIFJvb3QgQ0E=",
    > "AqxcJmoLQJuPC3nyrkYldw==",
    > nsnull
    > },
    > {
    > // CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
    > "1.3.6.1.4.1.8024.0.2.100.1.2",
    > "Quo Vadis EV OID",
    > SEC_OID_UNKNOWN,
    > "CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19 :93:7C:F7",
    > "MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW 1pdGVkMRswGQYD"
    > "VQQDExJRdW9WYWRpcyBSb290IENBIDI=",
    > "BQk=",
    > nsnull
    > },
    > {
    > // OU=Class 3 Public Primary Certification Authority,O=\"VeriSign,
    > Inc.\",C=US
    > "2.16.840.1.113733.1.7.23.6",
    > "Verisign EV OID",
    > SEC_OID_UNKNOWN,
    > "74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E :61:74:E2",
    > "MF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW 5jLjE3MDUGA1UE"
    > "CxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW 9uIEF1dGhvcml0"
    > "eQ==",
    > "cLrkHRDZKTS2OMp7A8y6vw==",
    > nsnull
    > },
    > {
    > // OU=Sample Certification Authority,O=\"Sample, Inc.\",C=US
    > "0.0.0.0",
    > 0, // for real entries use a string like "Sample INVALID EV OID"
    > SEC_OID_UNKNOWN,
    > "00:11:22:33:44:55:66:77:88:99:AA:BB:CCD:EE:FF:00:11:22:33"
    > "Cg==",
    > "Cg==",
    > nsnull
    > }
    > };
    >



    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  6. Re: EV SSL Certificates, make our own?

    On Thu, Apr 03, 2008 at 10:35:27AM -0500, Dusty Wilson wrote:
    > Is there a way to make our own EV SSL Certificates?
    >
    > I like the fact that when you're on a site with an EV SSL Cert in
    > Firefox 3 that the location bar turns green and shows extra
    > information. My goal is to be able to provide that same thing for our
    > internal users on our official/internal sites. These certs would be
    > signed by our company's certificate authority (or make a new EV
    > certificate authority if necessary).


    Maybe this will be helpful (never tried it myself):
    http://urbansensors.wordpress.com/20...alidation-ev-s
    sl-certificates/

    --
    +---------------------------------------+
    | -o) http://wanted.eu.org/
    | /\\ Message void if penguin violated
    + _\_V Don't mess with the penguin


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  7. Re: EV SSL Certificates, make our own?

    * Dusty Wilson [2008-04-05 09:11-0400]:
    >
    > I'm both an existing user and a financial contributor to the
    > cacert.org project. If anyone out there doesn't know about them, give
    > them a look! Free certs are great, but their paid certs are worth
    > every penny. You pay them to verify your identity and in exchange,
    > you can make as many certs as you want for a specified time. Support
    > these guys if you can. Also, AFAIK their certs are trusted in every
    > browser but IE.
    >


    CAcert is great, I'm also a user. However, their certs are *not* trusted
    in every browser but IE. They have not completed their 3rd party audit
    that would enable them to be included in Firefox/Mozilla products. They
    are available in debian in the ca-certificates package, but without that
    installed, or if you have a user not running Debian, then you have to
    install their root otherwise the user is prompted (and I've heard that
    on XP it flat-out refuses to continue).

    The following are the latest on the status of inclusion:

    https://bugzilla.mozilla.org/show_bug.cgi?id=215243
    http://wiki.cacert.org/wiki/InclusionStatus

    Micah

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iQCVAwUBR/fEmnSQXEWKX02hAQLMXwQAj0m3b7gliDq5yZzR+n1oiifwjMoE wsAy
    ODBJs3eAxHR+zDsWQd4Rsk6fWM/IG4tAuSJZ9bzbnMG6xtUDD5wQ+Z6zYmKg6oOn
    GjXF4Wbl5ywdaJ8gteaKsmuuNoKtu5MZawBBi+EqxYcUo3BBHW hoJYrN1J748/HK
    wDyQODVLnqY=
    =Sqba
    -----END PGP SIGNATURE-----


  8. Re: EV SSL Certificates, make our own?

    > * Dusty Wilson [2008-04-05 09:11-0400]:
    > >
    > > I'm both an existing user and a financial contributor to the
    > > cacert.org project. If anyone out there doesn't know about them, give
    > > them a look! Free certs are great, but their paid certs are worth
    > > every penny. You pay them to verify your identity and in exchange,
    > > you can make as many certs as you want for a specified time. Support
    > > these guys if you can. Also, AFAIK their certs are trusted in every
    > > browser but IE.
    > >


    On Sat, Apr 5, 2008 at 1:27 PM, Micah Anderson wrote:
    > CAcert is great, I'm also a user. However, their certs are *not* trusted
    > in every browser but IE. They have not completed their 3rd party audit
    > that would enable them to be included in Firefox/Mozilla products. They
    > are available in debian in the ca-certificates package, but without that
    > installed, or if you have a user not running Debian, then you have to
    > install their root otherwise the user is prompted (and I've heard that
    > on XP it flat-out refuses to continue).


    Ah ha! I'm a heavy Debian user and don't really live outside of it.
    I do know I used Firefox on Windows one time and the cert wasn't
    trusted. I had assumed it may have been an old version of Firefox to
    blame. Thank you for the correction.

    > The following are the latest on the status of inclusion:
    >
    > https://bugzilla.mozilla.org/show_bug.cgi?id=215243
    > http://wiki.cacert.org/wiki/InclusionStatus



    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  9. Re: EV SSL Certificates, make our own?

    > On Thu, Apr 03, 2008 at 10:35:27AM -0500, Dusty Wilson wrote:
    > > Is there a way to make our own EV SSL Certificates?
    > >
    > > I like the fact that when you're on a site with an EV SSL Cert in
    > > Firefox 3 that the location bar turns green and shows extra
    > > information. My goal is to be able to provide that same thing for our
    > > internal users on our official/internal sites. These certs would be
    > > signed by our company's certificate authority (or make a new EV
    > > certificate authority if necessary).


    On Sat, Apr 5, 2008 at 11:15 AM, Marcin Sochacki wrote:
    > Maybe this will be helpful (never tried it myself):
    > http://urbansensors.wordpress.com/20...alidation-ev-s
    > sl-certificates/


    Thanks for this link, Marcin. This makes it look promising for those
    with IE deployed and used. Good link to have. I believe it'll be a
    good stepping stone to move forward. Thanks.


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread