Hello,
I’m just starting to evaluate nginx for our use. Looking good so far!
One of our biggest clients uses an EV SSL cert from Comodo. The EV certs
have nice features on FireFox 3 and IE7; the address bar changes color
and show the full name making customers more comfortable in making
credit card transactions. Or so the theory goes.
For Comodo, you have to add their certs to the CA bundle and use
ssl_certificate_client directive. I believe I’ve implemented this
properly and it appears to be working.
However, I can’t test out the FF3 and IE7 address features because they
only work on the live site, so I don’t know for certain that they are
working.
Is anybody using Comodo EV SSL certs on nginx? aOr, any EV SSL certs on
nginx? If so, can you send me the link so I can see it in FF3 and IE7?
By the way, Comodo only charges US$359 for EV certs while VeriSign
charges ~US$3000. If you are in the market for EV certs, check out
Comodo.
Take care,
Kurt Hansen
CharityWeb
Hi Kurt,
I’ve not tested a Comodo cert on nginx, but you can test it by editing
your
/etc/hosts file (or on Windows, c:\WINDOWS\system32\drivers\etc\hosts)
to
point a domain at a specific IP. In doing so, your computer will use
that
IP when you request the domain (bypassing DNS), allowing you to test the
certificate. Just be sure to remember to clear that /etc/hosts entry
when
you’re finished!
Hope that helps.
Nick
Hi Nick,
Yes, that helps a bunch! 
The EV features are working in FF3, but not in IE7 and Safari. Neither
recognize Comodo as a CA – I must not have the CA bundle set up right.
Let me check my setup further.
Take care,
Kurt
On Mon, Feb 16, 2009 at 04:48:04PM -0500, Kurt Hansen wrote:
ssl_certificate_client directive. I believe I’ve implemented this
properly and it appears to be working.
ssl_certificate_client is for client authentication.
You need to
cat your_cert comodo_ca_bundle > bundle_cert
and use
ssl_certificate bundle_cert;
Igor S. wrote:
and use
ssl_certificate bundle_cert;
Thank you, Igor! That is what it says in the documentation, isn’t it?
I misread it the first few times.
It’s working now!
Moving on to figuring out reverse proxy and rewrite.
Take care,
Kurt
hi
how did you create the comodo_ca_bundle?
I got these files from comodo
AddTrustExternalCARoot.crt
TERENASSLCA.crt
UTNAddTrustServer_CA.crt
myserver.crt
Any help, gratefully appreciated.
I have tried some opttions, none seem to work 
Hello!
On Thu, Dec 09, 2010 at 10:20:18PM +0100, Matt D. wrote:
Any help, gratefully appreciated.
I have tried some opttions, none seem to work
General rule is: concatenate certificates starting from your cert,
each certificate should sign previous one.
You may examine certificates you’ve got via something like
openssl x509 -noout -subject -issuer -in
Use the resulting file (with all certificates) in ssl_certificate
directive.
Maxim D.