[Mageia-sysadm] SSL certificate

Michael Scherer misc at zarb.org
Wed Feb 9 16:58:35 CET 2011

Le mercredi 09 février 2011 à 15:36 +0100, Romain d'Alverny a écrit :
> On Wed, Feb 9, 2011 at 15:22, Michael Scherer <misc at zarb.org> wrote:
> > Another issue we had with rapidssl was for foo.barr.domain when the
> > certificate was *.domain. That's something we need to check and to test
> > for sure.
> AFAIK, that is the case for all wildcards that only work on a single
> subdomain level, no?

Given the price of a wildcard cert, we didn't check others providers
when we faced the issue at my work. But that's something to look for

Ie, be sure to keep only single level url.

> >> For other solutions, Cacert is not an option so far.
> >
> > Why ? Wobo and Pascal are both assurers, IIRC, as is rapsys.
> For the single reason it is not recognized by Firefox:
>  * https://bugzilla.mozilla.org/show_bug.cgi?id=215243
>  * http://wiki.cacert.org/InclusionStatus
> Or my understanding of the issue at stake is wrong?

I may be wrong, but can't we have more than one certificate, ie, to have
the website certified by gandi and by cacert ? 

I have asked the details on some irc channel, but it was not clear about
what we can achieve in this regard.

This way, we have a certificate that work in cacert, and we also benefit
from the reputation of using something less commercial ( not that I
think gandi does a bad job, and also i do not say because I know the guy
there, but the whole centralisation around x509 is bad, so we should try
to find a better if this is not detrimental ).

Another possible complementary approach would be to look at the monkey
sphere project  ( http://web.monkeysphere.info/why/ ) ( at least for the
openssh part ), but that's for sure not a solution to the problem of
regular people who are scared by the firefox dialog.

Michael Scherer

More information about the Mageia-sysadm mailing list