Great tool. I wonder how well its chain selection strategy works in
practice though.
The README [1] says:
"If multiple certificate chains are found, the shortest one is used."
That's a good strategy for a browser to employ when deciding which chain
to show in its certificate viewer, but it's unlikely to be the best
strategy when configuring a server.
There's often a cross-certificate issued by an older root to a newer
root. For compatibility with browsers that don't trust the newer root,
the server should send that cross-certificate too (even though it isn't
part of the shortest chain).
Using the longest available chain isn't always the correct strategy
either though.
[1] https://github.com/SSLMate/mkcertchain
On 24/03/15 11:40, Gervase Markham wrote:
Discovered today:
https://whatsmychaincert.com/
That seems like a great resource for when we get those emails that say
"my cert isn't working in Firefox - why?"
Thanks to Andrew of SSLMate for putting the site together.
Gerv
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
