Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Free Chinese 2 year SSL certificate: DV KuaiSSL by WoSign.com - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Free Chinese 2 year SSL certificate: DV KuaiSSL by WoSign.com

245678

Comments

  • DetruireDetruire Member
    edited January 2015

    rm_ said: P.S.: installed another copy of Chrome 39 on a different computer, and it's giving yellow warnings both on all my sites, and on @comXyz https://comxyz.com/. D'oh!!
    Looks like Chrome uses certificates from the OS, and on that PC (VM actually) the OS is Windows 7 without service packs. Maybe it's a bit too old. I think I will return to StartSSL certs for my main sites for now, and hope the WoSign CA in the coming 10 months to their expiration gets around to making proper SHA2 certs :)

    So it's giving the warnings because it's using the Startcom cert as the top of the chain, and the WoSign CA cert is using SHA1?

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    Detruire said: So it's giving the warnings because it's using the Startcom cert as the top of the chain, and the WoSign CA cert is using SHA1?

    Because it ends up using:

    StartCom -> StartCom/WoSign cross (SHA1) -> WoSign G2 (SHA2) -> You

    Chrome 39.0.2171.99 m, Windows 7 plain

    For no warnings, it must use directly:

    WoSign (SHA2) -> WoSign G2 (SHA2) -> You

    Chrome 39.0.2171.95 m, Windows 7 SP1

  • @rm_ how to use WoSign (SHA2) -> WoSign G2 (SHA2) directly?

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    @comXyz my server ships both chains, i.e. between these two screenshots there was no configuration change on the server. The current theory I have is that Chrome uses the trusted certificate store from the operating system it's running on. And that the Windows 7 without SP1 does not include the "WoSign (SHA2)" cert as trusted, so on that OS Chrome has to use the StartCom path.

    Thanked by 1comXyz
  • God dammit! Is it possible to re-issue in SHA2? chrome doesn't show the green stuff with SHA1.

  • @cosmicgate said:
    God dammit! Is it possible to re-issue in SHA2? chrome doesn't show the green stuff with SHA1.

    Buy it again and choose SHA2

  • I can't able to generate certificate, always showing error "Please retry"....

  • mine Issued by common name WoSign CA Free SSL Certificate G2
    rm_ Issued by common name CA 沃通免费SSL证书 G2

    which root ca do you use?

    I've try root below still showing WoSign CA Free SSL Certificate G2

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    If yours is issued by

    tommy said: WoSign CA Free SSL Certificate G2

    then you have selected an "English language" certificate. My instruction was for Chinese ones.

    Thanked by 1tommy
  • Looks like wosign has terrible browser support, even their own website returns a SSL error. I'll stick with rapidssl.

  • Question on certificates - Is it possible to have multiple certificates on the same domains from the same provider or different providers which will still be valid, ie recognized in the browsers?

  • Do you mean for different domains?
    Or for the same domain? Which I don't think will be possible.

  • @zxb said:
    A word of warning: don't put too much trust on Chinese CAs.

    Have no idea why you are either you are getting paid by the Chinese or making money out of Chinese people and yet kept putting comments like this about the Chinese government.

    Do you think NSA/US-based CAs are really more trustworthy than the Chinese ones? NSA is known to use one the SSL exploits to peek into encrypted data for years

  • >

    Question on certificates - Is it possible to have multiple certificates on the same domains from the same provider or different providers which will still be valid, ie recognized in the browsers?

    You can run the same domain on 2 IPs/Servers and use different certs, the enduser will then decide by Round Robin which server he connects to. Makes not much sense.

    With SNI you can run 2 different certs on the same IP (not sure with the same contained names but i see nothing against that in the specs), decision which cert will be used is random or first hit then. Makes not much sense either to do that.

    Thanked by 1rchurch
  • @William said:
    With SNI you can run 2 different certs on the same IP (not sure with the same contained names but i see nothing against that in the specs), decision which cert will be used is random or first hit then. Makes not much sense either to do that.

    What I mean to ask is whether certificates are recognized as valid so long as they are not expired or revoked. ie whether a browser or some other software will regard different certificates for the same domain as valid even their lifetimes overlap, ie there is no such thing as a single authoritative certificate for a domain at any time, so that if people from different countries connect to different servers with different certificates, although they use the same domain, they will still be valid.

  • you can have as many certificates for a domain at the same time as you like. so if you intend getting another cert while an old one hasn't run out yet, that should be fine ;-)

  • Wow, there seem to be quite some confusion about getting the intermediate certificates right and the availability of SHA256. This is what I found out, please correct me if I am wrong:

    For the English certificate use this:

    your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt

    For the Chinese certificate use this:

    your-domain.com.crt -> ca2_dv_free_2.crt -> ca2_xs_sc_new.crt

    • The order is important, first certificate in the file is the one for your domain, then the intermediate and last the cross-signed certificate by StartCom. It is bad to include any other certificates since they will NEVER be used and they just make the TLS handshake to your website slower! Please use SSLabs.com to check for the correct certificate chain.
    • It looks like StartCom only cross-signed a SHA1 certificate for both the English AND the Chinese one. They did this in 2011 when nobody thought about SHA256 so now it is difficult to get those signed with SHA256. It means that it is not possible to get a complete SHA256 chain with the Chinese certificate neither (on old browsers).

    • On this clients the short, direct WoSign trust chain with only SHA256 certificates will be used (resulting in a nice green padlock):

      • Mozilla Firefox 32 or newer on any OS (it uses its own NSS library)
      • Google Chrome on Linux when NSS was updated after July 2014 (3.16.3 or newer)
      • Internet Explorer, Google Chrome and Safari on Microsoft Windows Vista or newer which do not explicitly block the "Update Root Certificate feature" described here. They do not need to have automatic updates enabled, this is a separate update mechanism which is enabled by default!
      • Android 5.0 or newer (this is the ticket, on my Android 5.0 it is already included by default)
    • NOT using the short direct SHA256 WoSign chain but the larger one with the cross-signed SHA1 StartCom certificate:

      • Google Chrome and Safari on all Apple devices (MacOS and iOS) since Apple doesn't yet trust the WoSign root certificates.
      • All other clients listed on this StartCom list will still work but only with the SHA1 chain.

    Hope this clarifies most issues.

    If you want to do your own hunt for intermediate certificates you can use this websites where WoSign offers its root and intermediate certs:

    https://wosign.com/root/

    https://www.wosign.com/English/root.htm

    http://www.wosign.com/new/english/root.htm

    https://support.wosign.com/en/index.php?/News/NewsItem/View/2/wosign-root-certificates

    Thanked by 2rm_ NanoG6
  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    cidero said: It means that it is not possible to get a complete SHA256 chain with the Chinese certificate neither (on old browsers).

    Yeah but old browsers also won't care about it being SHA1 and will not show any warnings due to that.
    The main battle ground is getting SHA256 chain to work in new browsers. :)

  • Right, old browsers will continue to be happy with SHA1. On most current browsers the SHA256 chain already works great!

    Only Safari/Chrome users on Apple or IE/Chrome users on Windows who EXPLICITLY block their certificate updates still need the cross-signed SHA1 StartCom certificate. I am quite confident that Apple will include the WoSign root certificate in the future - before Chrome is showing nasty error messages.

  • Just noticed they issue cert manually, from working hours 9-5 china time.

  • @cidero I get the yellow lock warning for this method: your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt

  • rm_rm_ IPv6 Advocate, Veteran

    comXyz said: I get the yellow lock warning for this method: your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt

    Which browser and OS?

    Do you not get the yellow warning with any other method (which)?

  • @rm_ said:
    Do you not get the yellow warning with any other method (which)?

    It's Chrome 39 on Windows 8.1.

    The English method doesn't work for me, and it shows yellow warning. The Chinese method works, and it shows green lock.

    For the English certificate use this:
    
    your-domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt
    
    For the Chinese certificate use this:
    
    your-domain.com.crt -> ca2_dv_free_2.crt -> ca2_xs_sc_new.crt
  • typh0ntyph0n Member
    edited January 2015

    Nvm, got it.

  • rm_rm_ IPv6 Advocate, Veteran

    comXyz said: The English method doesn't work for me, and it shows yellow warning. The Chinese method works, and it shows green lock.

    I suppose you have a Chinese language cert. If so, then this seems to be normal.

  • I submitted a csr and never received my certificate. Guess I'll just wait for the EFF to get going with their cert authority.

  • What do you guys meant by domain.com.crt -> ca1_dv_free_2.crt -> ca1_xs_sc_new.crt?

    Do you mean post all the encrypted contents in the ca bundle file?

  • NomadNomad Member
    edited January 2015

    No, combine them and point your server to that certificate.

    Like:

    cat your-domain.com.crt ca2_dv_free_2.crt ca2_xs_sc_new.crt > domainbundle.crt

  • rm_rm_ IPv6 Advocate, Veteran
    edited January 2015

    Nomad said: No, combine them and point your server to that certificate.

    It's different depending on which server you use. E.g. with Lighttpd the CA certs have to be in the "ssl.ca-file", but your certificate and private key in "ssl.pemfile": http://redmine.lighttpd.net/projects/1/wiki/docs_ssl

  • cosmicgatecosmicgate Member
    edited January 2015

    I'm using apache. I only combined domain.crt to the top of bundle.crt and that gave me a green on latest chrome.

Sign In or Register to comment.