HomeBlogscarneeki's blog

SSL certificates and user agents

Submitted by carneeki on Fri, 06/05/2009 - 06:10

My first experience with SSL certificates turned out to be not so great. I screwed up so many Apache 1.3 configs and caused more downtime on (thankfully) non-critical systems than I care to think about, but atleast it armed me for today.

I looked around and decided on GoDaddy's UCC (Multiple Domain) offering as I felt it was the most appropriate option if I were to apply an SSL cert to example.com, secure.example.com, imap.example.com and smtp.example.com.

I generated a CSR with example.com as my CN, and downloaded my certificate file. I then unlocked it with my keyfile so that daemons would fire up without having to ask for a password, chmod'ed and chown'ed them appropriately, and reconfigured postfix, dovecot and lighttpd to use the new certificates, all without too many hitches.

The problem came from the user agents.

Mozilla Firefox, and Google Chrome behaved, showing the padlock (I haven't tested under IE, Konquerer or Opera at this point), however Mozilla Thunderbird and Google's Android Email client didn't play ball.

Mozilla Thunderbird showed me the certificate and said it might not be trusted or that someone could be impersonating me. This is quite odd given that the correct mail server (imap.example.com) had been entered as the mail server, and no typos were found in the certificate Thunderbird had retrieved. My experience with the Android client was even worse because that is what started off this whole venture!

Android doesn't trust self-signed certificates, which is fair enough - nobody should. But the user agent should give you the option to allow it. Most UAs that come to mind can do this. I looked around but couldn't find a solution for Android 1.1 that didn't involved root'ing it, or upgrading it. Atleast, not without using a third party mail client like K-9. Atleast K-9 lets you install self-signed certificates. :)

Google could learn something very important as Chrome is also lacking the ability to *easily* import a certificate on the fly. Warn users like they presently do about untrusted certificates, but provide an option to add them anyway in a similar fashion to Firefox / Thunderbird. Don't force them to have to find it, and then find the certificate import wizards nestled behind several layers of menus, tabs, screens and buttons. The king of search is still yet to be the king of usability.