used 4 Base64 encoded DER data 4 Have headers that describe the contents 4 -----BEGIN CERTIFICATE----- 4 The "preferred" format for OpenSSL @jtdowney 18
wrong format 4 Server requires SNI and client doesn't support it 4 Intermediate certificate isn't being served 4 Default (and insecure) settings left enabled @jtdowney 21
for the basic file format 4 Wraps public key 4 Specifies subject of certificate and issuer 4 Contents are digitally signed by issuer 4 Lists lifetime of validity @jtdowney 35
-out demo.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Illinois Locality Name (eg, city) []:Chicago Organization Name (eg, company) [Internet Widgits Pty Ltd]:PayPal Organizational Unit Name (eg, section) []:Braintree Common Name (e.g. server FQDN or YOUR name) []:demo.braintreepayments.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: @jtdowney 39
* Trying 54.215.8.63... * Connected to www.braintreepayments.com (54.215.8.63) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * Server certificate: www.braintreepayments.com * Server certificate: Symantec Class 3 EV SSL CA - G3 * Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5 > HEAD / HTTP/1.1 > Host: www.braintreepayments.com > User-Agent: curl/7.43.0 > Accept: */* @jtdowney 44
Operating systems and browsers do 4 On Linux these are generally gathered from the Mozilla list 4 On OS X 4 Contains special patches which cause it to fall back to the OS X root certificates 4 The version is super old @jtdowney 47
- 54.215.8.63:443 ------------------------------------------------------------------- ...snip... * Certificate - Trust: Hostname Validation: OK - Subject Alternative Name matches Google CA Store (09/2015): OK - Certificate is trusted Java 6 CA Store (Update 65): OK - Certificate is trusted Microsoft CA Store (09/2015): OK - Certificate is trusted Apple CA Store (OS X 10.10.5): OK - Certificate is trusted Mozilla NSS CA Store (09/2015): OK - Certificate is trusted Certificate Chain Received: ['www.braintreepayments.com', 'Symantec Cl... ... @jtdowney 49
server which vhost they want 4 Without it, every hostname needs its own IP 4 Can be expensive for hosting 4 Host information is sent after TLS handshake (HTTP Host Header) 4 SNI support is still not 100% @jtdowney 56