Forum: NGINX Comodo EV SSL cert on nginx

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ed73662bc247c5f8dd7db8fcc646fb27?d=identicon&s=25 Kurt Hansen (Guest)
on 2009-02-16 23:01
(Received via mailing list)
Hello,

I'm just starting to evaluate nginx for our use. Looking good so far!

One of our biggest clients uses an EV SSL cert from Comodo. The EV certs
have nice features on FireFox 3 and IE7; the address bar changes color
and show the full name making customers more comfortable in making
credit card transactions. Or so the theory goes.

For Comodo, you have to add their certs to the CA bundle and use
ssl_certificate_client directive. I believe I've implemented this
properly and it appears to be working.

However, I can't test out the FF3 and IE7 address features because they
only work on the live site, so I don't know for certain that they are
working.

Is anybody using Comodo EV SSL certs on nginx? aOr, any EV SSL certs on
nginx? If so, can you send me the link so I can see it in FF3 and IE7?

By the way, Comodo only charges US$359 for EV certs while VeriSign
charges ~US$3000. If you are in the market for EV certs, check out
Comodo.

Take care,

Kurt Hansen
CharityWeb
Ed6583386f2b2d56e1b5eb2ee236da39?d=identicon&s=25 Nick Pearson (Guest)
on 2009-02-16 23:15
(Received via mailing list)
Hi Kurt,

I've not tested a Comodo cert on nginx, but you can test it by editing
your
/etc/hosts file (or on Windows, c:\WINDOWS\system32\drivers\etc\hosts)
to
point a domain at a specific IP.  In doing so, your computer will use
that
IP when you request the domain (bypassing DNS), allowing you to test the
certificate.  Just be sure to remember to clear that /etc/hosts entry
when
you're finished!

Hope that helps.

Nick
Ed73662bc247c5f8dd7db8fcc646fb27?d=identicon&s=25 Kurt Hansen (Guest)
on 2009-02-17 00:38
(Received via mailing list)
Hi Nick,

Yes, that helps a bunch! :-)

The EV features are working in FF3, but not in IE7 and Safari. Neither
recognize Comodo as a CA -- I must not have the CA bundle set up right.
Let me check my setup further.

Take care,

Kurt
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-02-17 08:11
(Received via mailing list)
On Mon, Feb 16, 2009 at 04:48:04PM -0500, Kurt Hansen wrote:

> ssl_certificate_client directive. I believe I've implemented this
> properly and it appears to be working.

ssl_certificate_client is for client authentication.

You need to

   cat your_cert comodo_ca_bundle > bundle_cert

and use

    ssl_certificate   bundle_cert;
Ed73662bc247c5f8dd7db8fcc646fb27?d=identicon&s=25 Kurt Hansen (Guest)
on 2009-02-17 12:56
(Received via mailing list)
Igor Sysoev wrote:
>>
>
> and use
>
>     ssl_certificate   bundle_cert;
>
Thank you, Igor! That is what it says in the documentation, isn't it?
:-) I misread it the first few times.

It's working now!

Moving on to figuring out reverse proxy and rewrite.

Take care,

Kurt
02786e2af32973cbd1a9355cdae776f9?d=identicon&s=25 Matt D. (matt_d41)
on 2010-12-09 22:20
hi

how did you create the comodo_ca_bundle?

I got these files from comodo

AddTrustExternalCARoot.crt
TERENASSLCA.crt
UTNAddTrustServer_CA.crt
myserver.crt

Any help, gratefully appreciated.

I have tried some opttions, none seem to work :-(
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2010-12-09 23:19
(Received via mailing list)
Hello!

On Thu, Dec 09, 2010 at 10:20:18PM +0100, Matt D. wrote:

>
> Any help, gratefully appreciated.
>
> I have tried some opttions, none seem to work :-(

General rule is: concatenate certificates starting from your cert,
each certificate should sign previous one.

You may examine certificates you've got via something like

openssl x509 -noout -subject -issuer -in <cert>

Use the resulting file (with all certificates) in ssl_certificate
directive.

Maxim Dounin
This topic is locked and can not be replied to.