[server-admins] Fwd: The certificate for www.crosswire.org will expire in 19 days
Jonathan Marsden
jmarsden at fastmail.fm
Sun Dec 12 20:48:23 MST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/12/2010 08:54 AM, Troy A. Griffitts wrote:
> I think the history of this is that we tried startcom after
> generating our own certificates for years, but if I remember
> correctly, the startcom cert still made us ok an exception for use of
> the certificate in our clients? I figured this was because startcom
> was not included in the recognized authority list of our clients
> (thunderbird for me).
My Thunderbird here (3.1.7) definitely has an included CA cert from
Startcom, and I have not manually added any certificates to it. So
perhaps Startcom has improved their standing with Thunderbird since you
first tried this?
I just exported that certificate, and then did
openssl s_client -CAfile StartComCertificationAuthority -connect
crosswire.org:443
and it verifies fine for me. Looks to me as though the current SSL
setup is a "commercial-looking" no-warnings it-just-works one. Looking
at the subject= bit shows it is a freebie, but few normal people look at
their SSL certificates at that level of detail :)
> Anyway, we use these for internal use to secure our IMAPS and SVN
> over HTTPS connections. What is the general consensus for how we
> should renew?
If you can use a Startcom cert with no warnings in Firefox and
Thunderbird, and it doesn't cost you more than you can afford... I'd
suggest that you renew with Startcom. Looks like the setup you now have
is working well, so my recommendation is not to mess with it :)
Jonathan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk0Fl38ACgkQUGfT4+mKBLJWRwCfRmAC4bjMd9Q3OY61k3eC+FrZ
+SYAnie3pMiLMHIKUQCHrx/9MABpUAQU
=1AYK
-----END PGP SIGNATURE-----
More information about the server-admins
mailing list