EV SSL Certs
coy.hile at coyhile.com
Mon Sep 12 19:57:40 CDT 2011
On Mon, Sep 12, 2011 at 11:39 PM, Jimmy Hess <mysidia at gmail.com> wrote:
> On Mon, Sep 12, 2011 at 7:08 AM, Coy Hile <coy.hile at coyhile.com> wrote:
>> As an academic aside, exactly what would one set on his (internal)
>> root CA so that internally-trusted certs signed by that CA would show
>> up as EV certs?
> This is not possible without changing browser source code and recompiling
> (or debugging/editing the browser binary).
> The IDs of certificates that are allowed to sign EVSSL CAs are
> hard-wired in the browser.
> In some browsers, this also means it's impossible for an end user to
> "untrust" or remove
> an EVSSL CA.
> It also means you cannot as a site adminsitrator, make an
> administrative decision to internally
> add an internal EVSSL CA, without customizing every browser.
> If you ask me... it's shoddy software design. EVSSL CAs should be
> but none of the major browsers provide the knobs to manually add or
> remove EVSSL
> access to/from a trusted CA.
Thanks. I saw something about it on TechNet. (I'm using Windows for
my internal CA). I'm guessing those instructions may work for IE
only. If I find anything interesting, I'll let you know.
More information about the NANOG