Hi,
As I learned that you could get free(!) SSL certificates from StartSSL.com with a root CA that is included in every major browser, I got excited and wanted to replace the self signed WebAdmin CA certificate with a proper one (just to show off during trainings, impress colleagues and the like....) [[;)]]
However I found out that I could replace the WebAdmin certificate with the StartSSL.com one properly, but as StartSSL uses an intermediate issuing CA (that is signed by the acutal root key of the CA that is part of every browser) I ran into a problem.
The reason for this is that the WebAdmin apache (and probably many other parts of our product as the WAS) don't at the moment support Certificate Chains. However those chains have to be sent to the browser in order to check the certficicate validity.
Most other CAs (including Verisign) also act the same way and have different issuing CAs per certificate "Class" (see Public key certificate - Wikipedia, the free encyclopedia) for details about them.
Interestingly enough, the initial PKCS#12 file I uploaded included the full certificate chain for my public certificate, but the chain is not used by the ASG.
StartSSL describes the configuration necessary and it would be nice if the product could support this. Otherwise real certificates cannot be used for WebAdmin, as they are not issued by the root CA directly.
If you have any further questions or want to have a look at my setup, you know where to reach me [[;)]]
Thanks
Christian
Guest User!
You are not Sophos Staff.
