On a small non-commercial website I am using a no-cost Class 1 cert from Start SSL. There is no sensitive data going over the wire, but I do feel that I would like to provide at least a minimum of privacy to whoever browses to the site. When visiting the site in Firefox one receives the "Untrusted cert" warning. Here is an example using wget
:
$ wget https://example.com/images/dog.jpg
--2013-08-09 15:21:10-- https://example.com/images/dog.jpg
Resolving example.com (example.com)... 54.43.17.16
Connecting to example.com (example.com)|54.43.17.16|:443... connected.
ERROR: The certificate of `example.com' is not trusted.
ERROR: The certificate of `example.com' hasn't got a known issuer.
The FAQ entry from StartSSL states that to avoid the warning, one must install the intermediate CA certificate to the browser. It is a bit unreasonable to expect all website visitors to do that!
I don't mind installing a cert from a larger company, but while researching the situation I find that the larger companies have the same issue. Another fine ServerFault question mentions that the server admin should install an intermediate certificate, but I am not sure that an intermediate certificate exists for Start SSL. Before moving to another company, how would I know if they have all the proper intermediate certificates that we would need? As the previous two linked questions demonstrate, even going with Verisign or GoDaddy may not resolve the issue.
This is a conventional LAMP stack (Ubuntu Server 12.04, Apache 2.2) running on Amazon Web Services.
The installation instructions not only refer to the intermediate certificate file, but provide a link to download it.
I have previously had certificates from StartSSL, and you will need to configure Apache to serve the intermediate certificate to complete the chain.
You will need to:
SSLCertificateChainFile
directive to your Apache VirtualHost configurationEdit - gah, ninja'd. Good answers :)
You need to find out if you are supposed to have an intermediate certificate or not. If you are then having your server supply it in the chain will help any clients that do not have it build a valid chain (assuming they have the StartSSL root certificate installed locally).
That may not be the case and that will not help people who don't already have the StartSSL root certificate trusted locally. You can't help those people though they will have to install it to avoid the warning.