Certificate story. OCSP as additional layer to block any sites on web.
Firstly we need to remember goal of certificates at all. This is official info:
With Organization Validation, Certificate Authority verifies the ownership of the domain name and business registration information before issuing a certificate. Information about both the domain and company will also be listed in the certificate. Since they perform manual validation of your business, these certificates can take up to two business days to be issued. For USA, if you would like to force the validation, it is needed to provide Certificate Authority organization with the link on any government database with your company, it can be: Dun and Bradstreet, https://www.bisnode.de/upik-en/(same as D&B), Bloomberg. If the company is not present in any QGIS and QIIS, you can send a Legal Opinion Letter (LOL) or Public Accountant Letter (PAL) - signed by an accountant or attorney. If Sectigo company checking the organization, You can submit a ticket to Sectigo here: https://sectigo.com/support-ticket and Here are the templates: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFM8
SSL certificates is mandatory service now, most browser don't allow even login to site without certificates and Google don't show site without certificates in their list.
At common certificate story is pretty simple, we need load pay certificate on any site as this:
And than only load similar config to Nginx.
There only a couple usual mistake for working with certificates:
- (1) usually all of us lost private key, because sites usually don't store private key. If we lost private key and than found something - we need firstly check - is this key really from certificate?
- (2) because sites usually give us certificate and path to authority that site as different files - we need to concatenate it. And pay attention - order is important!
# sudo cat /etc/ssl/ssl1/cryptochest.io.crt /etc/ssl/ssl1/cryptochest.io.ca-bundle.txt >> /etc/ssl/ssl1/cryptochest.io.bundle.crt
Possibility issue of concatenate.
- (3) next issue if server don't support something type of key, in this key there are a lot of online services (additionally to openssl commands) what help up converting keys, for example my loved service https://decoder.link/.
So, this is convenient issues, but unexpectedly I have faced with new issue. For my wonder in one browser my site is opened but in another browser site is absent.
This was surprise for me and I check my site in another my likely service - https://www.ssllabs.com/ssltest/index.html and found interesting issue, certificates is revoked by OCSP certificate protocol.
Interesting! I allow revoked certificates in Firefox and site became show in Firefox.
What is OCSP at all? Read more https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol.
This issue with revoked certificates forced me to see certificate stories from another point. This is a way in any time to block any site by special internet authority company. This is additional layer between site on servers and end users! So, what a reason of certificates! Not only protection of sniffing in provider company, but maybe main point is idea to block any site at any moment from a couple of company. Full list of this company has less than 100 company https://www.checktls.com/showcas.html.
So, less than 100 company has right to block any sites at any time. Welcome to new freedom world with SSL certificates!
|