Six years on, and it's time to rewrite this sucker from the perspective of 2015 (and a lot more personal experience in the world of commercial CAs).
First off, as far as EV certificates inspiring trust, the answer is (still) "no, not really". Independent studies of EV certificates just don't show a meaningful impact amongst typical consumers. Peter Gutmann's book, Engineering Security, is largely an 800 page rant against CAs in general, and it has a lot of references to the (in)effectiveness of EV certificates in influencing safe user behaviour throughout the text, with the highest density in the section entitled "EV Certificates: PKI-me-harder" starting on page 72.
On the other side of the argument, the parties who have the most to gain from proving EV certificate efficacy (the CAs who sell them) can't come up with any compelling evidence, either. The "best" collection of EV case studies I could dig up is amusingly long on unfounded assertion and woefully short on any sort of useful data.
As for whether EV certificates actually do anything useful to fight fraud, I'll go back to Peter Gutmann again:
The introduction [...] of so-called high-assurance or extended validation (EV) certificates [...] is simply a case of rounding up twice the usual number of suspects — presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting.
To put it another way, that you know, for sure and certain, that the site you're communicating with is "Honest Achmed's Drug Bazaar and Fishmarket, Inc", of Tashkent, Uzbekistan, doesn't say anything about whether Achmed is going to do the bunk with your credit card details and private information. An EV certificate also doesn't say anything useful about the security practices of the organisation: while ashleymadison.com
uses a wildcard DV cert, it is (and was) entirely capable of getting an EV certificate, and everyone's private peccadillos would still be downloadable if they'd been running an EV cert all along.
Finally, for what it's worth, EV certificates are issued after (some) more validation beyond what is done for domain validated (DV) or organisation validated (OV) certs. What is being validated isn't actually all that important, but you can be reasonably sure that someone has gone to some reasonable amount of trouble to make the organisation named in the green bar appear to exist.
In order to download the certificate, you need to use the client built into openssl like so:
echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
| openssl x509 > /tmp/$SERVERNAME.cert
That will save the certificate to /tmp/$SERVERNAME.cert
.
The -servername
is used to select the correct certificate when multiple are presented, in the case of SNI.
You can use -showcerts
if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts
. The x509
at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p'
instead of the x509 at the end.
echo -n
gives a response to the server, so that the connection is released
openssl x509
removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.
Best Answer
Did you use the right intermediate and is it chained properly? VeriSign certificates are extremely picky.
I'd suggest trying the following:
1) Use VeriSign's site to lookup the common name for the cert: https://securitycenter.verisign.com/celp/enroll/outsideSearch?application_locale=VRSN_US&originator=VeriSign:CELP
2) Cross-reference the name in the search with the required intermediate here: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO11501&actp=search&viewlocale=en_US&searchid=1275755447299
3) Examine the certificate bundle you received and ensure that the certs match up. You can use OpenSSL, keytool, Windows etc... whatever tools you have available.
4) Ensure that the root certificate exists on the server Windows will usually already have them updated.
Cheers,
-M