Jump to content

Extended Validation SSL

Sir Asvald
By Sir Asvald
in Servers, NAS, and Home Lab
 Share
Posted

Hello everyone, I always wondered. How do Extended Validation certs get validated? What is the process. Example how do CA issue it? For example. DigiCert or VeriSign. How do they issue. The OID for EV is 2.23.140.1.2.3. Is it possible for Internal CA or SubCA to issues these? I've got my own 2-Tier PKI in my network environment, I wanted to know if it's possible to issue EV Internally.

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

We're not allowed to talk about it...  

 

jk that's a good questions often times you see then not validated causing alerts 

I  have GameServer`s And VOIP servers the only price is that you have fun on them. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
3 minutes ago, Abdul201588 said:

I wanted to know if it's possible to issue EV Internally.

 

Yes, I believe so. I have had to something simmer to get some services back up. 

I  have GameServer`s And VOIP servers the only price is that you have fun on them. 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
9 minutes ago, Mbarton said:

We're not allowed to talk about it...  

 

jk that's a good questions often times you see then not validated causing alerts 

I see.

8 minutes ago, Mbarton said:

Yes, I believe so. I have had to something simmer to get some services back up. 

Have you tried Issuing EV SSL internally?

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Extended validation certificates have specific OIDs, which are hardcoded into browsers' trust stores (and can't be changed after compiling) and identify, which organization issued the certificate. These can be changed only if you request browser's developer team to start accepting your OID in EV certs, which is pretty much impossible unless you are known good certificate issuer and get approved (and this process is massive, even becoming a trusted CA is costly in terms of money and time).

 

You could build your own browser from source, adding your own CA's cert along with its EV OID to the root store, but how much will it really help?

 

Here is the code from Firefox - https://hg.mozilla.org/mozilla-central/file/0d72c7996d60/security/certverifier/ExtendedValidation.cpp

 

If you are looking to improve your internal traffic to get that green identity showing - don't bother, Chrome will stop doing it soon.

HAL9000: AMD Ryzen 9 3900x | Noctua NH-D15 chromax.black | 32 GB Corsair Vengeance LPX DDR4 3200 MHz | Asus X570 Prime Pro | ASUS TUF 3080 Ti | 1 TB Samsung 970 Evo Plus + 1 TB Crucial MX500 + 6 TB WD RED | Corsair HX1000 | be quiet Pure Base 500DX | LG 34UM95 34" 3440x1440

Hydrogen server: Intel i3-10100 | Cryorig M9i | 64 GB Crucial Ballistix 3200MHz DDR4 | Gigabyte B560M-DS3H | 33 TB of storage | Fractal Design Define R5 | unRAID 6.9.2

Carbon server: Fujitsu PRIMERGY RX100 S7p | Xeon E3-1230 v2 | 16 GB DDR3 ECC | 60 GB Corsair SSD & 250 GB Samsung 850 Pro | Intel i340-T4 | ESXi 6.5.1

Big Mac cluster: 2x Raspberry Pi 2 Model B | 1x Raspberry Pi 3 Model B | 2x Raspberry Pi 3 Model B+

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
26 minutes ago, jj9987 said:

Extended validation certificates have specific OIDs, which are hardcoded into browsers' trust stores (and can't be changed after compiling) and identify, which organization issued the certificate. These can be changed only if you request browser's developer team to start accepting your OID in EV certs, which is pretty much impossible unless you are known good certificate issuer and get approved (and this process is massive, even becoming a trusted CA is costly in terms of money and time).

 

You could build your own browser from source, adding your own CA's cert along with its EV OID to the root store, but how much will it really help?

 

If you are looking to improve your internal traffic to get that green identity showing - don't bother, Chrome will stop doing it soon.

Yeah. I Know about OIDs, I actually got one from here http://pen.iana.org/pen/app

 

28 minutes ago, jj9987 said:

If you are looking to improve your internal traffic to get that green identity showing - don't bother, Chrome will stop doing it soon.

I don't use Chrome for my internal SSL. Mostly because half my Web applications only works with Firefox, Edge and I believe opera. 

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Honestly other than for fun I don't see a reason to create a EV cert. Users barely pay attention to the status of a website, half the time just clicking "continue" even when there's a problem.

 

However pretty sure all you have to do is properly create the certificate and make sure the client machines trust your CA. Firefox has its own internal certificate store, but you can configure it to use the windows store. IE and Chrome use the windows store natively. You don't have to compile your own browser.......... Sort of an absurd thought.

 

Quick google search:

https://blogs.technet.microsoft.com/askds/2009/08/14/extended-validation-support-for-websites-using-internal-certificates/

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
11 hours ago, Mikensan said:

Honestly other than for fun I don't see a reason to create a EV cert. Users barely pay attention to the status of a website, half the time just clicking "continue" even when there's a problem.

 

However pretty sure all you have to do is properly create the certificate and make sure the client machines trust your CA. Firefox has its own internal certificate store, but you can configure it to use the windows store. IE and Chrome use the windows store natively. You don't have to compile your own browser.......... Sort of an absurd thought.

 

Quick google search:

https://blogs.technet.microsoft.com/askds/2009/08/14/extended-validation-support-for-websites-using-internal-certificates/

 

I've tried that method, Doesn't work for me. :(

 

 

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Servers, NAS, and Home Lab

×