[Mageia-sysadm] SSL certificate
misc at zarb.org
Wed Feb 9 16:58:35 CET 2011
Le mercredi 09 février 2011 à 15:36 +0100, Romain d'Alverny a écrit :
> On Wed, Feb 9, 2011 at 15:22, Michael Scherer <misc at zarb.org> wrote:
> > Another issue we had with rapidssl was for foo.barr.domain when the
> > certificate was *.domain. That's something we need to check and to test
> > for sure.
> AFAIK, that is the case for all wildcards that only work on a single
> subdomain level, no?
Given the price of a wildcard cert, we didn't check others providers
when we faced the issue at my work. But that's something to look for
Ie, be sure to keep only single level url.
> >> For other solutions, Cacert is not an option so far.
> > Why ? Wobo and Pascal are both assurers, IIRC, as is rapsys.
> For the single reason it is not recognized by Firefox:
> * https://bugzilla.mozilla.org/show_bug.cgi?id=215243
> * http://wiki.cacert.org/InclusionStatus
> Or my understanding of the issue at stake is wrong?
I may be wrong, but can't we have more than one certificate, ie, to have
the website certified by gandi and by cacert ?
I have asked the details on some irc channel, but it was not clear about
what we can achieve in this regard.
This way, we have a certificate that work in cacert, and we also benefit
from the reputation of using something less commercial ( not that I
think gandi does a bad job, and also i do not say because I know the guy
there, but the whole centralisation around x509 is bad, so we should try
to find a better if this is not detrimental ).
Another possible complementary approach would be to look at the monkey
sphere project ( http://web.monkeysphere.info/why/ ) ( at least for the
openssh part ), but that's for sure not a solution to the problem of
regular people who are scared by the firefox dialog.
More information about the Mageia-sysadm