Flutterby™! : RapidSSL Woes

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

RapidSSL Woes

2013-01-22 04:49:48.85314-08 by meuon 0 comments

So I've been trying to explain why a customer is having issues with their RapidSSL (Geotrust) certificate in technical terms. I gave up. Below is part of an actual email I sent them. I'm hoping it helps other lost souls.


You are on a RapidSSL.com, GeoTrust certificate now.

Later tonight XXX time, I'll see if I can make things work better. The issue is what you had to add when you installed the latest cert. Remember adding:

SSLCACertificateFile /etc/apache2/ssl/intermediate.crt

in: /etc/apache2/sites-enabled/website.ssl

That's the chaining part.

Lets put this in politically incorrect non-technical terms:

We all trust God. God's Certificate is installed in our browsers from the factory.

God says: I trust the Angel Michael.

So when we go to Angel Michael's website, we see God's seal of approval. We accept that, because God says Michael's site is real.

But Angel Michael is a little more lax in his seal of approval, it gets spread around a lot, and a Golgathan Demon convinces Michael to stamp him... (under duress... or false witness)

So when we go to the Demon's website, we see Michaels seal, and we can see that God trusts Michael, but we don't have Michael's stamp of approval in our trust circle.. And we don't convey God's trust of Michael into Michael's trust of a Demon.

Which is why some browsers (smart ones, actually) don't trust sites with an intermediate certificate. We want our trust directly from God himself. because Angels can be fickle beasts. Even God's favorite angel Satan went bad, and God revoked his trust certificate.

It's time to buy a certificate from God, directly. he ain't cheap. You can pick any God.. just pick one installed directly in most browsers. That's what you are paying for, God's word direct distribution network in the souls of your web browsers. The encryption part is easy. You can sign your own certificates, but no-one will trust that God automatically.

[ related topics: Dan & Charlene's July 2003 San Juan Trip Cryptography broadband Interactive Drama Work, productivity and environment Religion ]

comments in ascending chronological order (reverse):