Topic: Configure a single official certificate as wildcard on the SME

[Arnaud]

Good evening,

The problem: I have only a self-made Certificate Authority that have been generated by my own PHPki http://wiki.contribs.org/PHPki. When people connects via https to my home page, a warning of security occurs on them screen and they become afraid!! Trying to argue that visiting a private non certified https is not worse than sending the personal datas to one of these well known and well certified clouds is useless: there is a red warning, then it is dangerous. End of the discussion! 

The need: the visitors don't get any security warning by connecting https, and if possible, for all the sub-domains

The idea: use a certified and free CA. 2 of them gained my attention (if you know others, please go ahead!):

• CAcert.org. Advantages: it is based on a community and it is documented for sme in the wiki. But: the security warning remains (if I understand well)--> don't meet the needs!
• StartSSL https://www.startssl.com/?app=0 with a certificate class1. Advantages: no warning any more (if I understand well). Disadvantages: it is managed by a company and certificates with class 1 are just for 1 domain (no wildcard).

Reading this http://wiki.contribs.org/Certificates_Concepts gave me the idea to use my CA made by PHPKI as a intermediate certificate in order to build a chain of trust based on the CA of StartSSL:

Code: [Select]

StartSSL <---> my CA PHPki <----> a self-made certificate for each wished sub-domain
PHPki would allow me to create the certificates for the sub-domains, based on the CA-PHPki, based itself on the CA of StartSSL. I would be in this way able to generate a wildcard based on a CA for only 1 domain.

Questions:
- is such a scheme possible?
- does anyone have experience with it?
- what should be given to startSSL for a domain? "domain.org" I guess, or "www.domain.org"? (should be not correct, because www is a machine and not a subdomain)
- is there better/easier/better commendanded free and certified CA than startssl?

Promise:
If it works, I will write down the detailed method in the wiki.........

Thanks in advance.
Bye
Arnaud

[Daniel B.]

No, it won't work, certs signed by startssl (or any other provider) do not have the CA constraint. In other word, they can't sign "sub" certificates and act as an intermediate CA

[DanB35]

Letsencrypt.com should be live in the next few weeks.  They won't do wildcard certs either, but they will do multi-host certs, which is nearly as good.  They'll be free, and recognized by mainstream browsers.  See http://forums.contribs.org/index.php/topic,51961.0.html for some further information about them.

[janet]

Arnaud

You can buy security certificates now for around $10 - $100 (or around that sort of price), which are automatically placed in major browser trusted certificate stores, so visitors to your site will not get certificate warnings.

Why bother with workarounds that are a big fiddle at best.
CA certs are OK, but IIRC you need to make physical contact with a member of the CA community to have your certificate/identity validated.
One issue is you need to renew each year, so more work to do regularly.

Just buy one for 5 years, it's easier & cheaper (in your time & labour costs).

[Stefano]

try to take a look here:

http://forums.contribs.org/index.php/topic,52028.msg265959.html#msg265959

[Arnaud]

Good evening,
and many thanks for your  information, ........event if I had the hope to read something else.............

It is quite decided, I think that I will by a simple one, below ~15$/y there is some choice.
But I have to compare and to make some research, because there are quite differences from the one to the other: as far as I'm well informed, StartSSL is free, but a revocation and a new cert cost 30$(??). By https://sslmate.com/pricing the cert costs 16$/y but the revocation and reissue are free, for example.

I will have a look before on letsencrypt.com because I don't understand how it works: having a look to the corresponding page https://letsencrypt.org/howitworks/ it looks like "letsencrypt" is a command! I must ask if they have a contribs for my sme...

Bye
Arnaud

PS:

Why bother with workarounds that are a big fiddle at best.

never seen and hear this before!! I had to look urgently in the automatic translators.........Nice expression.......

[DanB35]

I will have a look before on letsencrypt.com because I don't understand how it works: having a look to the corresponding page https://letsencrypt.org/howitworks/ it looks like "letsencrypt" is a command! I must ask if they have a contribs for my sme...

Part of the letsencrypt service is a client that is supposed to automatically get the certificate and configure your server to use it.  It's also supposed to automatically renew your cert when it expires.  I don't really know how easy or difficult it will be to run that client on SME--I'd think, since it's a Python script, it shouldn't be too difficult, but of course any config changes the client makes won't stick.  You're also supposed to be able to get certs without their client, but I haven't seen any indication of what the UI for that will be like.

Since it's due to go live in a few weeks, I'm thinking the wait shouldn't be too bad.