EV SSL Certs

Coy Hile coy.hile at coyhile.com
Mon Sep 12 19:57:40 CDT 2011


On Mon, Sep 12, 2011 at 11:39 PM, Jimmy Hess <mysidia at gmail.com> wrote:
> On Mon, Sep 12, 2011 at 7:08 AM, Coy Hile <coy.hile at coyhile.com> wrote:
>> As an academic aside, exactly what would one set on his (internal)
>> root CA so that internally-trusted certs signed by that CA would show
>> up as EV certs?
>
> This is not possible without changing browser source code and recompiling
> (or debugging/editing the browser binary).
> The IDs of certificates that are allowed to sign EVSSL CAs are
> hard-wired in the browser.
> In some browsers, this also means it's impossible for an end user to
> "untrust"  or  remove
> an EVSSL CA.
>
> It also means you cannot as a site adminsitrator, make an
> administrative decision to internally
> add an internal EVSSL CA,  without customizing every browser.
>
> If you ask me...  it's shoddy software design.   EVSSL CAs should be
> configurable,
> but none of the major browsers provide the knobs to  manually add or
> remove EVSSL
> access to/from a trusted CA.
>

Thanks. I saw something about it on TechNet.  (I'm using Windows for
my internal CA).  I'm guessing those instructions may work for IE
only.  If I find anything interesting, I'll let you know.



More information about the NANOG mailing list