The job of the SSL certificate authority(CA)/provider is to validate your organizational identity so that when customers access your web site, they not only get the padlock for security, but they know that your identity as the fully qualified hostname are authentic and not some phishing scam. True, most all users look no further than … Read more
Unless extremely accurate timekeeping is mission-critical for you there should be no discernible effect for your users, aside from their clocks changing by 2 minutes. The possible exception is if they declare your NTP server to be “insane” as a result of the large change (which would require you to restart the NTP service on … Read more
There’s no use to including it. If the client browser or library has it as a trusted certificate then it obviously doesn’t need another copy, if it doesn’t have it then including it isn’t going to make it trust it. I have no idea why Namecheap would include it in their instructions. Abundance of caution? … Read more
The expiry was set in 2037 to avoid the possibility of running into the Unix year 2038 date problem. Basically in early 2038 Unix dates will no longer fit in a signed 32bit integer so using a date just before then avoids triggering any code not yet updated to fix the problem. Root certificates take … Read more
If I remember correctly, we were quoted something like 150k to start then 75k per year when we looked into this.
It seems that this is due to the oddball GPO that my company uses. As outlined here the GPO setting Computer Configuration\Administrative Templates\System\Internet Communication Management\Turn off Automatic Root Certificates Update was Enabled, meaning that the OS wouldn’t pull root CAs from Microsoft. Setting this to Disabled fixed the issue.
But what happens if my CA itself expires (root CA an thus issuing CAs)? Literally, nothing. Let’s explain it a bit in more details. If the signature is not timestamped, the signature is valid as long as: data is not tampered signing certificate is time valid neither certificate in the chain is revoked root certificate … Read more
I haven’t tried this, but there is a PKI PowerShell provider from https://pspki.codeplex.com/ that has a lot of interesting looking functions like Revoke-Certificate followed by Remove-Request: Deletes specified certificate request row from Certification Authority (CA) Database. This command can be used to reduce CA database size, by deleting unnecessary certificate requests. For example, delete failed … Read more
If the chain is sufficient depends on the CA store of the client. It looks like Firefox and Google Chrome have included the certificate for “COMODO RSA Certification Authority” end of 2014. For Internet Explorer it probably depends on the underlying OS. The CA might not yet be included in trust stores used by non-browsers, … Read more
There is significant difference between Standalone and Enterprise CAs and each have its usage scenario. Enterprise CAs This type of CAs offer the following features: tight integration with Active Directory When you install Enterprise CA in AD forest, it is automatically published to AD and each AD forest memeber can immediately communicate with CA to … Read more