SSL Certificate order
33 views
Skip to first unread message
Cheekian Tan
Sep 25, 2019, 11:55:10 AM9/25/19
to BigBlueButton-Setup
Hi Fred,
I purchased the SSL
certificate from Comodo Certification Authority. It contains four files:
- classroom_iaapathway_com.crt
- AddTrustExternalCARoot.crt
- SectigoRSADomainValidationSecureServerCA.crt
- USERTrustRSAAddTrustCA.crt
In this command below, I entered the content of "classroom_iaapathway_com.crt" as 1 and
content of "SectigoRSADomainValidationSecureServerCA.crt" and
"USERTrustRSAAddTrustCA.crt" as 2.
# cat >/etc/nginx/ssl/classroom.mydomain.com.crt <<'END'
Paste (in order) the contents of the following files:
1. The signed certificate from the CA
2. In order, each intermediate certificate provided by the CA (but do not include the root).
END
Am I doing this right?
Thanks,
Cheekian
Sven Brozio
Sep 30, 2019, 8:52:55 AM9/30/19
to BigBlueButton-Setup
Mostly right, but why wouldn't you include the root certificate? It's crucial for OCSP stapling which is a must have if you want maximum security (and the ratings that come with it).
What you are doing is basically creating a chain certificate, beginning with your server certificate all the way to the root, all certificates validating the next one in the chain.
Cheekian Tan
Oct 1, 2019, 3:44:17 AM10/1/19
to BigBlueButton-Setup
Hi Sven,
Thanks for the reply. It says
"(but do not include the root)" in the docs. That's why I didn't include the root file. Should include that then?
Regards,Cheekian
Sven Brozio
Oct 1, 2019, 6:13:37 AM10/1/19
to BigBlueButton-Setup
Which docs are you referring to? The BBB docs? Do you have a link?
SSL usually has nothing to do with the client software you use, it takes place at the connection level. Usually it's best to follow the instructions of the certificate issuer, since changes are frequent and when it comes to security, you want to be up to date.
Just try it, if it works check your site with the SSL-test:https://www.ssllabs.com/ssltest/
This checks your site for vulnerabilities.
Calvin Walton
Oct 1, 2019, 10:12:10 AM10/1/19
to bigbluebu...@googlegroups.com
On Tue, 2019-10-01 at 00:44 -0700, Cheekian Tan wrote:
> Hi Sven,
>
> Thanks for the reply. It says "(but do not include the root)" in the
> docs.
> That's why I didn't include the root file. Should include that then?
The root certificate is the certificate that the web browser already
> Hi Sven,
>
> Thanks for the reply. It says "(but do not include the root)" in the
> docs.
> That's why I didn't include the root file. Should include that then?
has in its local certificate store. The web browser will ignore it if
it's sent as part of the certificate chain, and will validate using the
local copy of the root certificate instead.
So including the root certificate in the certificate chain sent by the
server is unnecessary, and the extra size of the ssl handshake might
slow down connections a bit.
Note that OSCP stapling does not require the root certificate to be
installed on the server - it only needs the intermediate certificates.
--
Calvin Walton <calvin...@kepstin.ca>
Reply all
Reply to author
Forward
0 new messages