May 4, 2008
The Certificate Odyssey

I was just reading Ryan Janssen’s post Becoming an RP with the Pamela Project (pt. 1) and when I got to the end where he wrote “Since it’s going to take a few hours to get my SSL cert issued and installed, I think I’ll post this and go outside for a break!” it reminded me of the certificate odyssey I went through in April last year. After eventually getting the certificate created and installed, I wrote this about it at the time to Stuart Kwan (hip Internet terminologist):

Getting and installing the certificate was an unbelievable odyssey. It was an *incredibly complicated* process, that in my case, involved many visits to Network Solutions’ and GoDaddy’s support sites, several hours of my afternoon on Saturday, using cryptic openssl commands on Linux to create a key pair and a cert signing request (and later to strip the password off the key pair so Apache would start without the password), lots of help on IM from Pam Dingle, and the creation or use of 6 different passwords. Oh, and the cert wasn’t even installed by that point!

And it would have been *so easy* to get any of the steps wrong and have a cert request that was incorrect or to obtain a cert that didn’t do what I wanted it to. I understand the value that certificates provide (and it’s substantial). But we, as an industry, haven’t exactly made it easy for people to obtain and use them…

I’m tempted to blog about that, but I won’t… :-)

But seeing that Ryan is about to go through the same odyssey, I’ve reconsidered, hence this post. I’m now eagerly awaiting part two of his description to see how his experience compares to mine.

Of course, now that CardSpace and other identity selectors have support for no-SSL sites, hopefully this will be an optional odyssey soon – employed only when the security benefits of SSL certificates are called for. I know that Pamela plans to add no-SSL support to PamelaWare for WordPress soon, so after that, the pain that I went through and that Ryan’s in the midst of during a beautiful sunny day on the Lower East Side can be a thing of the past.

4 Responses to “The Certificate Odyssey”

  1. Becoming an RP with the Pamela Project (pt. 2) | drstarcat.com on 04 May 2008 at 6:42 pm #

    [...] as installing an SSL certificate is NOT something to be done by mere mortals (see Mike’s post here–and HE’S not even [...]

  2. Andy Dale on 05 May 2008 at 7:25 am #

    While I understand the convenience of the non-ssl implementation… How much does it compromise the overall security pattern?

    Presumably there was a reason that the SSL only decision was made to start with.

  3. Vittorio Bertocci on 06 May 2008 at 5:46 pm #

    Hi Andy,
    I blogged about this exact point back in September: you can read the post at http://blogs.msdn.com/vbertocci/archive/2007/09/25/windows-cardspace-will-work-without-https-too.aspx
    The option of using CardSpace without SSL is very handy for RPs which do not have strong requirements, and the subject authentication is still performed via asymmetric cryptography (checking the signature of the incoming token; see the post above) hence it maintains the good properties that the approach entails.
    If you want to chat about this in more depth feel free to drop me a line!

    Cheers,
    V.

  4. Cardspace Community Bloggers on 19 May 2008 at 2:40 pm #

    Worrying rumour…

    Word from Redmond is that, inspired by this salesmanship fiasco, in order to demonstrate their corporate…

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.