Bill Digman is a Java EE / Servlet enthusiast and Open Source enthusiast who loves working with Caucho's Resin Servlet Container, a Java EE Web Profile Servlet Container. Bill has posted 12 posts at DZone. You can read more from them at their website. View Full User Profile

Setting up OpenSSL with Resin 4.0.32 on Ubuntu 12.0.4

02.13.2013
| 3311 views |
  • submit to reddit
 

Some more background on certificate chains and why they are needed with GoDaddy

This information was derived from and other places: http://bloggit.livejournal.com/26595.html

GoDaddy has good prices and decent service. Sadly their explanations are a bit terse as is the documentation for OpenSSL.

Browsers like Opera and Internet Explorer know about GoDaddy. But Firefox, Chrome, Safari and other applications do not. So as far as a CA certificate goes, its recognition is not as good as Verisign and others (so far). If you just use their CA certificate then your device or browser might give you the old "Unknown Authority". This is not what you want from a CA authority at all.

SSL Certificates are encryption packets that reference other encryption packets, to form a a chain of trust. It's a bit like asking for references. Your browser or app or devices knows a few top-level authorities, but certainly not all. When you hit a new SSL certificate, your browser (or SSL library or app) checks the new certificate against the browser's own list of trusted authorities.

You can view the list of authorities in your browser pretty easily: Firefox: Options - Advanced - View Certificates - Authorities.

The trick is to provide a chain of references from your certificate up through GoDaddy, all the way up to a trusted authority that Firefox already knows about. That is what the chain.txt file we constructed did. It put GoDaddy chain concatenated on to our chain. Firefox does not trust GoDaddy, but it trusts GoDaddy parent company Starfield so the chain we created was mydomain.com->godaddy.com->startfield.com. Firefox says I don't know mydomain.com. Then it looks at the next certificate in the chain and says, I don't know GoDaddy either, then it sees the next one in the chain and says I do know Starfield. Then Firefox asks Starfield (more or less) do you trust GoDaddy. Startfield says yes. Then FireFox asks GoDaddy do you trust mydomain.com, and GoDaddy says yes. Then the trust results are cached, now Firefox knows about GoDaddy and MyDomain.com. Whoot!

We will do this by including the certificate "chain".

___________________________________________________

Bill Digman is a Java EE / Servlet enthusiast and Open Source enthusiast who loves working with Caucho's Resin Servlet Container, a Java EE Web Profile Servlet Container.

Caucho's Resin OpenSource Servlet Container

Java EE Web Profile Servlet Container

Caucho's Resin 4.0 JCache blog post

Published at DZone with permission of its author, Bill Digman.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)