[Gpg4win-users-en] Commonly accepted SSL/TLS certificate for gpg4win websites
Thomas Arendsen Hein
thomas at intevation.de
Thu Oct 15 16:04:58 CEST 2015
There has been some discussion about SSL/TLS certificate that are
automatically accepted by usual web browsers on this list (and
TL;DR: We want to switch to a commercial SSL certificate for
the gpg4win web and download services soon. Mailing list and forum
will not yet be changed.
= The current situation =
The current certificate is provided by our own CA, which is not
known by most browers unless the root certificate is imported from
* Why don't we just buy a certificate?
We currently have to do this, because the certificate includes
over 40 SAN entries (including a wildcard entry) in a single
certificate: wald.intevation.org, *.wald.intevation.org and many
entries for the projects hosted on Wald.
I'm not aware of any commercial CA that offers such certificates,
I have only found CAs which offer 24 SAN entries, and then they
don't allow wildcard entries.
* Why don't we simply use more IPs?
IPv4 IPs are a scarce resource, we don't want to waste them. But
we tried adding some extra IPs to our Wald server to have separate
SSL certificates for the most important services:
- *.wald.intevation.org and wald.intevation.org
- the 4 gpg4win hostnames currently hosted on Wald (gpg4win.org,
gpg4win.de and both prefixed with "www.")
- everything else (using a certificate signed by our own CA, like
the current one)
The main problem here was the templating mechanism of FusionForge
for the web server configuration files for Wald. Some early
attempts to adjust this failed, and because or admin capacities
were needed in other projects, we did not continue with this
approach. It certainly is possible, but might be too
time-consuming. If adjusting Wald fails, we could use a
workaround: A simple proxy or TCP forwarder in front of Wald, but
at that time, Wald was under heavy load and we did not want to add
extra overhead for a workaround. Since then we upgraded to more
powerful hardware, so this might be possibility for the future.
* Why don't we simply use SNI to present different certificates?
1. Same reasons as above: We need to adjust the FusionForge
templating or add a proxy/forwarder as a workaround.
2. SNI has only very recently become supported by most browsers
and there is still some software that does not support SNI:
- Internet Explorer on Windows XP (should not be relevant
anymore, but unfortunately it is)
- older wget (as included in the still supported Debian wheezy)
- Python before 2.7.9 (again Debian wheezy)
- Mercurial before version 3.3 (Debian jessie has 3.1.2)
- Java 6 (even at the current patch level)
- Not sure if Android 2.x still counts, but I mention it for
I want to use SNI in the future, but I assume this still has to
wait a bit for getting Windows XP with IE usage below 1% and
maybe even Debian jessie becoming oldstable.
= The proposed next step for gpg4win =
My plan is to buy a certificate with the following SAN entries:
www.gpg4win.org (main address)
With a lifetime of three years, this will cost us 640€ for a
certificate from GeoTrust (see below for why we use GeoTrust).
The certificate will be installed on the server that currently hosts
files.gpg4win.org, so downloads from there will immediately become
trusted without importing Intevation's CA.
I will upgrade the server so it can offer TLS1.2, like Wald already
As the content of www.gpg4win.org is generated into static files,
moving the gpg4win website to this server is easy. Updating the
website can be done by the same people who can publish new releases,
but others can be added if needed, too.
If there are no objections, I can start with this.
= Future steps =
The mailing lists are currently hosted on Wald. As most mails sent
to and received from the list are transferred via unprotected SMTP
connections, having SSL would be nice (especially for the Mailman
web interface), but is less important than website and downloads.
A possible solution could be to move the mailing lists to
lists.gnupg.org, which already provides a certificate signed by a CA
known to modern browsers.
But this would not solve secure access to the web forums on Wald and
most solutions for the forums would also provide a solution for the
I assume the most appropriate solution would be to buy a wildcard
certificate for Wald, which would cost 1380€ for three years for the
certificate and the additional required IPv4 IP, and solve or
work around the FusionForge templating mechanism.
= Comments on alternative CAs =
Yes, there are cheaper CAs than GeoTrust, but it has some benefits
that others can't offer us:
- It is a well-known CA that is accepted by all relevant browsers
and other https clients.
- A German reseller that sends us a single invoice for all
certificates we have bought, so our accounting does not run into
issues or has to pay a separate invoice for each certificate.
Despite having our own CA, we have bought many certificates for
customers and some of our other servers.
- Because of this it can't happen that our credit card gets charged
beyond the monthly limit and will leave our CEO stranded somewhere :)
- If things go wrong, we can call a real human!
- We can buy certificates for domains or subdomains, that we do not
own. This applies to the gpg4win domains, too. GeoTrust will
contact the owner and ask for permission.
- It is not Comodo, see e.g.
so it is less likely that your sysadmin has marked it as
- It is still cheaper than some other CAs which offer a similar
level of quality.
Whew! That was long. Thanks for reading (or skimming). Feel free to
contact me via this list (I subscribed some weeks ago) if you have
questions or comments.
Thomas Arendsen Hein
thomas at intevation.de - http://intevation.de/~thomas/ - OpenPGP key: 0x5816791A
Intevation GmbH, Neuer Graben 17, 49074 Osnabrueck - AG Osnabrueck, HR B 18998
Geschaeftsfuehrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 181 bytes
Desc: not available
More information about the Gpg4win-users-en