logo

SSL Is Not Easy

About a year ago I made a semi-botched attempt at self-certing one of my servers to use SSL. Since then I've had no call to use it. Until now. This time round I wanted to get a real certificate and apply it to this server. Doing so was not easy.

The whole process has taken me about three weeks. Most of this was spent trying to convince Comodo that Rockall Design is a real company and that I am who I say I am. This involved writing a lot of letters to the domain registrars so they would make changes to the WHOIS details. As well as these details having to match I had to provide numerous copies of official documents. Both understandable requirements, but both added to the time it took.

An added complication was that the actual cert I received didn't work. Having deciphered the Domino admin help files I finally reached a dead-end in the certification process. I asked Prominic to help at this point. Having assumed a cert was a cert I thought they would all work with Domino. So I was surprised when they told me that not all certs did and they knew of problems with Comodo certs and Domino. Despite their having instructions on working with Domino 4 & 5 they don't work with 6. Prominic suggested I get a refund and leave it to them. I happily obliged.

The fact I now have a working SSL setup with Domino is down to Prominic. I love those guys! They took care of the whole process and sent me an email when it was ready to go. Although I was hoping I'd get to work it out myself I'm glad I didn't have to. Moral of the story - leave it to the professionals.

I'll talk a bit more about SSL over the next few days. In the mean time I'm hoping you guys can help me pay Prominic back with some development help. They need an answer to a question already asked in the forums.

Comments

    • avatar
    • Neil
    • Wed 7 Dec 2005 04:20 AM

    Hi Jake,

    What company did the cert come from in the end?

    • avatar
    • Jake
    • Wed 7 Dec 2005 04:36 AM

    Geotrust.com

  3. Personally I've had absolutely no problems in handling SSL stuff. Right from version 4.6, through 5, 6, and 6.5.

    UP ( {Link} ) is a long running website, all Domino powered. And I had no problems whatsoever, even though I had to include 3 actual certificate IDs.

    The only issue I had was the fact that the certs have to be installed in the correct order, starting at the top level. Took all of 4 days to setup. Providing the cert provider can look at Companies House records, there is no problems. Even now, it takes around 30 mins to request and apply the updated certs.

    Moral of the story - leave it to the professionals. As in Cert professionals.

  4. On glitch I ran into with a cert is the level of OU they pack into the signature tree. If the cert has more than 3 (or 4 I can't remember) Domino would have problems. That happens both for SSL and the X509 eMail cert.

    :-) stw

  5. Your cert belongs to Equifax which is a company I normally would not trust (because I don't know it). Why don't you create your own certificate? I would trust Rockall Design Ltd. more than Equifax or so.

    In my opinion a cert is only of use if you use VeriSign or any other cert which all web browsers trust by default...

    Creating SSL-certs is not very complicated, I once did this in one or two hours. You need 2 databases (Server certificate authority and Server certificate admin) for this. Then you create a keyring and attach your keys to it.

  6. I've never had a problem with Comodo certs at all levels of 6 & now 7. Granted, the installation process could be a bit slicker, but there we are. @mt69clp: The problem with self-certs IMHO is the message you get in browsers becuase a self-cert doesn't have a trusted root. That tends to spook users.

    As far as I can see, users get confused between trust and encryption. They think that because a site has a certificate and the subsequent SSL conversation is encrypted then you can trust it. Not so, as the checking process is fairly superficial.

  7. Simon, I agree with you about the problem of self-certs but Equifax or whatever cert is the root for codestore is also not a trusted root for me.

    • avatar
    • Jake
    • Thu 8 Dec 2005 05:12 AM

    I have to admit I am a bit confused about this whole trust thing. More in another entry later this week.

    • avatar
    • Brian Miller
    • Thu 8 Dec 2005 08:42 AM

    For the record, Equifax is a large US company whose major business is credit reporting. I didn't know that they had gotten into the cert business. Their primary business requires that they garner a good deal of trust from the commercial world, since they're paid based on the (perceived) veracity of their reports. So, I suppose it's not out of the question that you can trust them, at least for cert guarantees.

  10. Jake,

    I was able to use Comodo without any problem on my 6.5.x server. I don't know what Prominic was talking about because it installed without any problems. I also got the certificate in less than 24 hours as well.

    I guess the "SSL gods" were not friendly with you. My ssl page is located here https://secure.pcorey.net

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Wed 7 Dec 2005

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content