# EV SSL Certificates

## Anquietas

Hello,

I have a small organization here and I want to give my users access to some classefied resources from my server.

For that, I need besides SSH and SFTP a SSL Connection to Apache.

I've already created myself a Local Authority, by creating a CA Certificate.

Everybody in my organization is installing my CA Root Certificate in their browsers so they can navigate without problems over my SSL connections and server certificates without having to worry about "Browser exception errors" and other bullshit.

Now, I have a question:

Everything works fine, connection is encrypted, no error messages... but... Mozilla Firefox says "This website does not supply identity information."

I understand that for that, I need to have EV (Extended Validation) SSL Certificates.

How do I create my own EV SSL ? Because it's disturbing to see that some browsers "are not satisfied" with my current website information... they need more info and more info... more stupidity.... If I already have a certificate...

However, I understand that the EV Certificate differs only with a couple of extra lines from the standard certificate.

Is it worth it implementing ?... or is this EV SSL only a bullshit not worth bothering with ?...

If there is a chance to create ev ssl certs with openssl, how do I create them ?

----------

## Anquietas

well.. anyone ? ideas ? suggestions ? anyone expert in openssl ?...

----------

## nobspangle

As I understand it EV certificates can only be issued by certain CAs.

In your situation EV is useless as you aren't paying a company to validate your identity.

----------

## Anquietas

yes, but, in fact, why I wish to do it is because I am me, I know who I am, I am both the private CA and the beneficiar of certificate.

And I want to fully certify myself... not just 80% or 90%.. I want full 100% certification for myself, Issued by myself... in order to turn my browser address bar in green and to have the maximum certification I can do for myself.

Technically, an EV differs from a simple one only by a few lines addedd in the cert... If I could somehow find out those lines and incorporate them into OpenSSL, I think it would be ok.

I could generate my own EV CA and own EV SSL Certs... as long as I use them only in private organization... I don't think it would create any problems.

----------

## think4urs11

did you already read http://www.gerv.net/security/self-signed-certs/?

----------

## Anquietas

yes, those points are valid for PUBLIC certification.

I am small organization, made up of 10 people and 20-30 computers

Everything works by trust.

I don't need external visitors, because the areas I am protecting are senzitive: Admin Panels, E-mail accounts, phpMyAdmin and some stuff like this, which is exclusively for private use.

I am NOT a bank, I don't need the public to visit my https pages.

I don't need to pay money to identify myself. I know who I am, and the people that are working with me know who I am, I only want maximum certification from my own CA towards my own certificaetes.

Phrases like "This web site does not supply identity information" are entirely wrong formulated, by the obvious reasons I won't get into right now.

That's why I've created my own CA, and my own digital certificates.

I only wish that I issue myself EV-Certificates, to make the browser maximum confedence while working in my Local Group.

Just like there is "openssl x509..." command for generating SSL Certs, it must be something similar for creating ev-ssl certificates to import in browser and use them fully only in my organization.

There are some codes that I unfortunatly don't know... but if I get help or find out them, I don't think it would be a problem issuing my own EV-SSL Certs as long as they are not public.

----------

## Hu

Perhaps you could use the OpenSSL X509 commands to dump out all the fields from both a regular public CA certificate and an extended validation public CA certificate.  Compare the two for any differences that would account for the extended validation CA having that property.  Once you find why such certificates are special, then we can investigate how to make one.

----------

## Anquietas

yes, I want exactly that... the correct lines of field types of generating an EV SSL Certficate...

I know it is possible everything comes down to openssl, I just need to modify openssl.cnf somehow...

If only I knew those lines, I could generate an EV CA and afterwards an EV SSL Cert...

That is the help I need... the correct lines to use in openssl to create EV SSL Cert.

----------

## think4urs11

creating a CSR with correct format isn't too hard, see EV-SSL

creating a CA which is accepted by a browser as 'EV-SSL CA' and having it 'greening the bar' seems to be somewhere between tough and near impossible (without patching the source) according to EV-SSL

----------

## Anquietas

are you saying that even if I create an EV-CA, the browser will not recognize it ?.... 

ehh.. anyway... I suspected that it wouldn't work...

Frankly, I don't really give a damn.... the important thing is that I have a Secure Channel, no matter what kind of certificate I am using  :Smile: 

I just wanted to green-bar my browser and have that damn incorrect line "This website.." removed... but, in the end, I don't give a damn...

Standard Certificates are ok, my interest is purely technical, if the SSL Stream exists, nothing else matters...

----------

## think4urs11

 *Anquietas wrote:*   

> are you saying that even if I create an EV-CA, the browser will not recognize it ?.... 

 

no, i'm saying that you cannot create your own CA as easily as a 'non EV-SSL'-one _and_ have the browser accepting it to greenify the address bar.

You want green - you (your CA) must be compliant with what the guys at cabforum want.

----------

## Anquietas

well, I cannot be compliant with that.. because I'm a private organization and I don't have money to buy even a standard certificate... anyway, for what I need, self-signed CA and Cert rulz, for 10 people who are using my services, it's enough to install my root certificate on their systems and browse my secured pages.

----------

