Certificate and Keys

Home

Purchasing a Certificate

The previous steps showed us how to create a self signed certificate for testing purpose. The site is secured with this certificate and is a cheap method for securing a site for your own personal use. However, there is one drawback, when we use the secured site we are presented with the Security Alert dialog. This dialog is telling us the Certificate Authority, CA, who issused the SSL certificate is not recongizsed as a trusted issuing authority. This can be seen by the yellow -yield sign- icon on the security alert dialog. The browser determines the trusted companies by comparing the signed certificate against a preinstalled list of trusted companies contained within the browser. New versions of the browser may include new trusted authority determined by the company such as Netscape. from the security alert dialog we may chose to install our self signed certificate as a SSL certificate signed by a trusted company (ourself) we know the certificate is good because we ourself created it.

Trusted CA root certificate

In the real world customers may not proceed beyound the security alert dialog, refusing not to trust a stranger. Other customers may not understand whats going on with the alert dialog and will simply abort the operation as things dont seem normal. To prevent the dialog from displaying and scarying away potential customers you must have your certificate signed by a trusted company. All trusted companies can be found in the Trusted Root which is the preinstalled list found in supported browsers.

You can view the Trusted CA root certificate store from the browser by selecting:

Microsoft: Tools-->Internet Options-->Content-->Certificates-->Trusted Root Certification Authorities Netscape: Edit-->Preference-->Privacy & Security-->Certificates--->Manage Certificates--->Authorities

To have you new certificate signed by a Trusted CA you must first chose a trusted vendor then create a Certificate Signing Request (*.csr) and key (*.key), to be e-mailed, copy paste, to the vendor. Procedures and prices vary among different vendors. You will have to go to the selected vendor and follow their instructions for creating both .csr and .key. The procedures will be similar to our previous examples.

The Trusted CA vendor I chosed for my site is FreeSSL.com. No, its not free (used to be) but quite afforadable compared to other vendors. However, the ChanedSSL CA is not included in the Trusted CA Root list of older browser. This was a trade off I considered for a lowere purchase price.

NOTE: When creating the key do NOT encrypt the passphrase that is contained inside the *.key file. If you do you will have to include the SSLPassPhraseDialog directive to decrypt the key. This directive with default builtin does not seem to work with Win32, at least for me. You may be able to use the SSLPassPhraseDialog directive but you will have to specify type and write your own routine/program to pass the passphrase to the stdout.

To learn more about SSL Certificates and various providers visit the www.SSLreview.com, formly whichssl.org, web site.

Certificate and Keys

Home

Related Articles

	Secure your webserver with a SSL Certificate at FreeSSL.com. The lowest cost provider of fully supported, highly trusted 128 bit SSL Certificates ideal for low volume / low value transaction, professional level and development websites - delivered immediately!
	The Thawte Web Server Certificate connects at 128 bit, 56 bit or 40 bit depending on the client's browser capability
	Baltimore OmniRoot is the exclusive Baltimore public root certificate pre-distributed in 99% of the world’s browsers (equivalent penetration to the market leader in the SSL Server Certificate space) - providing state of the Art 128-bit encryption.
	GeoTrust, the leading provider of next generation information security services, delivers secure e-commerce transactions, identity verification and authentication solutions to the global web community. GeoTrust ensures a new level of e-business security
	SSL certificates are ideal for securing Web sites, intranets and extranets. Each of our Secure Site solutions delivers powerful SSL encryption and comes with VeriSign's industry-leading business identity Authentication Service.