re: SSL Intermediate Certs
for most part SSL cert providers doesn't generate and provide access through their primary root servers. Most of the ssl vendors i.e. Verisign has differetn intermediary root servers, which sometimes they call it by classes i.e. class1, class2, class3 etc. Depending upon your business activity and rules governing the certs are issues by respective intermediate authroties. i.e. .gov intermediates have special trust to .gov TLDs. Thus on the server side when you plant a new cert, you had to apply hostname ssl cert and its corresponding intermediate cert. If you deal with F5, NetScaler devices - they have provision the GUI to request for each of one before proceeding further. The root certs are automatically updated on client workstations periodically by Microsoft through the Windows update services. Hope this helps. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
SSL Intermediate Certs
Have to admit I'm thoroughly confused by these. I totally get the idea that if I buy a cert from Globalsign their CA is what forms the trust so I need their CA installed on my PC. Where I'm getting a bit lost is intermediate certificates. More and more vendors instruct you to install their intermediate cert on servers that you install their certificate on to, however having just purchased a wildcard cert from such a vendor, I'm a bit surprised that I've imported it into a few servers and appliances (firewall for example) and it works just fine, my browser doesn't complain and shows it's trusted. I'm assuming this is because the server I'm installing the cert on must already have the intermediate CA installed? -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: SSL Intermediate Certs
Often the original cert contains the instructions inside it to automagically install the intermediate, assuming the target server supports that technology. I think IIS has since version 5. From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Thursday, October 14, 2010 1:17 PM To: NT System Admin Issues Subject: SSL Intermediate Certs Have to admit I'm thoroughly confused by these. I totally get the idea that if I buy a cert from Globalsign their CA is what forms the trust so I need their CA installed on my PC. Where I'm getting a bit lost is intermediate certificates. More and more vendors instruct you to install their intermediate cert on servers that you install their certificate on to, however having just purchased a wildcard cert from such a vendor, I'm a bit surprised that I've imported it into a few servers and appliances (firewall for example) and it works just fine, my browser doesn't complain and shows it's trusted. I'm assuming this is because the server I'm installing the cert on must already have the intermediate CA installed? MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: SSL Intermediate Certs
I always thought that was the idea of wildcard certs, as long as the domain part is the same it doesn't matter what the actual host name is. It's still trusted by the issuers CA. T typed slowly on HTC Desire On 14 Oct 2010 18:17, Paul Hutchings paul.hutchi...@mira.co.uk wrote: Have to admit I'm thoroughly confused by these. I totally get the idea that if I buy a cert from Globalsign their CA is what forms the trust so I need their CA installed on my PC. Where I'm getting a bit lost is intermediate certificates. More and more vendors instruct you to install their intermediate cert on servers that you install their certificate on to, however having just purchased a wildcard cert from such a vendor, I'm a bit surprised that I've imported it into a few servers and appliances (firewall for example) and it works just fine, my browser doesn't complain and shows it's trusted. I'm assuming this is because the server I'm installing the cert on must already have the intermediate CA installed? -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: SSL Intermediate Certs
I've imported it into a few servers and appliances (firewall for example) and it works just fine, my browser doesn't complain and shows it's trusted. Note, if it's web facing web page or something, just install the Int. Cert. I used a Cert once without installing the Int, it worked fine everywhere I tested. Next day, got a bunch of calls from Clients, etc, that they were getting security warnings from the site. Quickly installed the Int cert and the problems went away. If you are just using it internally, probable not an issue... From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Thursday, October 14, 2010 12:17 PM To: NT System Admin Issues Subject: SSL Intermediate Certs Have to admit I'm thoroughly confused by these. I totally get the idea that if I buy a cert from Globalsign their CA is what forms the trust so I need their CA installed on my PC. Where I'm getting a bit lost is intermediate certificates. More and more vendors instruct you to install their intermediate cert on servers that you install their certificate on to, however having just purchased a wildcard cert from such a vendor, I'm a bit surprised that I've imported it into a few servers and appliances (firewall for example) and it works just fine, my browser doesn't complain and shows it's trusted. I'm assuming this is because the server I'm installing the cert on must already have the intermediate CA installed? MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: SSL Intermediate Certs
This is not the issue. When using certificates the trusting party needs to be able to verify the signature on the certificate. If a cert is signed by an intermediate CA, and the client only has the private key of the root CA, then it can't verify the signature on the server's cert. What needs to happen is that the client verifies the intermediate CA's certificate by using the root CA's public key. It can then verify the server's certificate using the now verified/trusted intermediate CA's certificate. The reason you are asked to install the intermediate CA's certificate into your web server is that most browsers and web servers have the technology to transfer the intermediate CA certs between the two parties. It saves the client having to manually install the intermediate CA certs. Cheers Ken From: Sam Cayze [mailto:sam.ca...@rollouts.com] Sent: Friday, 15 October 2010 5:23 AM To: NT System Admin Issues Subject: RE: SSL Intermediate Certs I've imported it into a few servers and appliances (firewall for example) and it works just fine, my browser doesn't complain and shows it's trusted. Note, if it's web facing web page or something, just install the Int. Cert. I used a Cert once without installing the Int, it worked fine everywhere I tested. Next day, got a bunch of calls from Clients, etc, that they were getting security warnings from the site. Quickly installed the Int cert and the problems went away. If you are just using it internally, probable not an issue... From: Paul Hutchings [mailto:paul.hutchi...@mira.co.uk] Sent: Thursday, October 14, 2010 12:17 PM To: NT System Admin Issues Subject: SSL Intermediate Certs Have to admit I'm thoroughly confused by these. I totally get the idea that if I buy a cert from Globalsign their CA is what forms the trust so I need their CA installed on my PC. Where I'm getting a bit lost is intermediate certificates. More and more vendors instruct you to install their intermediate cert on servers that you install their certificate on to, however having just purchased a wildcard cert from such a vendor, I'm a bit surprised that I've imported it into a few servers and appliances (firewall for example) and it works just fine, my browser doesn't complain and shows it's trusted. I'm assuming this is because the server I'm installing the cert on must already have the intermediate CA installed? MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
