Solo Technology

I had my first experience with obtaining and installing an EV SSL (extended validation) certificate this week. I had expected the entire process to be much more grueling than it really was. Not that I’m complaining, but for the money you pay for these things… well, I expected to be worked over a bit more!

The EV SSL cert is intended to show that the cert holder has been a bit more rigorously validated and their identity “proven” via a background check. The idea here is that when you see an EV SSL on a site, you should feel even more comfortable than if you see a “regular” SSL certificate. Marketing folks love things like this that generate a “feel good” impression…

(remember, you’re not SSL until you see https:// in the address. Look for the lock, etc.)

I submitted the application for my cert on Tuesday. Yesterday there was some simple paperwork to sign and fax and then a bunch of phone calls for business and employment verification. By the end of the day I’d received the certificate file.

OK, that was a lot less intense than I had been braced for. Almost, to be honest, a bit disappointing too.

IIS Notes

For folks running IIS web servers, there’s a bit of a challenge when you already have a cert but are starting the process of obtaining a new/different one. See, my server had a regular SSL certificate that expires in a couple months. We decided that we wanted to go EV sooner. Since there’s already a cert installed, the IIS Certificate wizard doesn’t offer any options related to generating a new CSR (Certificate Signing Request).

The folks at thawte, however, have documented a nice little work-around. My hope is that by putting that link here I’ll find it next time I need to to the same thing.

Long story short, create a new temporary web site, generate the CSR from that. Then apply the cert and move it over to the main site.

But Wait… Nothing’s Ever Simple

So now I have my new EV SSL cert on my server. I hit it with Firefox 3 and get the lovely green indicator in the address bar very clearly showing this URL is special. Sweet.

Next I tried with Internet Explorer 7 and… hmm… nothing. Oh yeah, there’s a trick for IE7 – if you’ve turned off automatic phishing checking, you’ve also turned off EV checking. Lame.

Fix IE7: Internet Options –> Advanced –> “Check for server certificate revocation” –> Check that box.
Close and re-start IE. Now you’ll get fancy green bar for EV SSL without running phishing checks on all sites.

Next I tried in Firefox 2 and got a horrible certificate mismatch error. Same with Safari. Uh oh. Not good.

Turns out there’s some extra steps to installing an EV cert. Specifically, you need some additional root certificates on your web server. Thawte had an article on that as well, but my initial attempts at following the (poorly written imho) instructions failed.

Fortunately, the online chat support rep was able to help me get squared away after an hour’s worth of trial and error (he actually emailed me certs to make sure I was getting the right stuff) and removing/reloading certificates.

No more errors in FF2 and Safari. No nifty indicators in FF2, but oh well… none in IE6 either. Granted, those aren’t con

I get a yellow bar in Opera, but I don’t discern any different between an EV SSL and a regular SSL site in Opera 9.52. Not sure what’s going on there yet.

So there you have it. Next time I’ll pay more attention when it comes to installing those root certificates and save myself a couple hours of panic.

Leave a Reply