SSL Certificate – Required Fields in a Web Server SSL Certificate

Six years on, and it's time to rewrite this sucker from the perspective of 2015 (and a lot more personal experience in the world of commercial CAs).

First off, as far as EV certificates inspiring trust, the answer is (still) "no, not really". Independent studies of EV certificates just don't show a meaningful impact amongst typical consumers. Peter Gutmann's book, Engineering Security, is largely an 800 page rant against CAs in general, and it has a lot of references to the (in)effectiveness of EV certificates in influencing safe user behaviour throughout the text, with the highest density in the section entitled "EV Certificates: PKI-me-harder" starting on page 72.

On the other side of the argument, the parties who have the most to gain from proving EV certificate efficacy (the CAs who sell them) can't come up with any compelling evidence, either. The "best" collection of EV case studies I could dig up is amusingly long on unfounded assertion and woefully short on any sort of useful data.

As for whether EV certificates actually do anything useful to fight fraud, I'll go back to Peter Gutmann again:

The introduction [...] of so-called high-assurance or extended validation (EV) certificates [...] is simply a case of rounding up twice the usual number of suspects — presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting.

To put it another way, that you know, for sure and certain, that the site you're communicating with is "Honest Achmed's Drug Bazaar and Fishmarket, Inc", of Tashkent, Uzbekistan, doesn't say anything about whether Achmed is going to do the bunk with your credit card details and private information. An EV certificate also doesn't say anything useful about the security practices of the organisation: while ashleymadison.com uses a wildcard DV cert, it is (and was) entirely capable of getting an EV certificate, and everyone's private peccadillos would still be downloadable if they'd been running an EV cert all along.

Finally, for what it's worth, EV certificates are issued after (some) more validation beyond what is done for domain validated (DV) or organisation validated (OV) certs. What is being validated isn't actually all that important, but you can be reasonably sure that someone has gone to some reasonable amount of trouble to make the organisation named in the green bar appear to exist.

All you need to do is this for a Tomcat server:

1. Start with the original keystore that you used to create your CSR. This keystore has on private key in it with the alias called "tomcat"

2. From your certificate reply you will have a reply-cert , a intermediate (probably) , and also a root cert that are 3 separate files.

3. use keytool -import root cert with alias "root"

4. use keytool -import intermediate cert with alias "intermediate"

5. finally use keytool -import cert-reply.crt into keystore with alias "tomcat". this action imports the cert reply into position on top of the cert you generated when you created the keystore. this action will generate a certificate chain of length 2 or 3

6. use keytool -list to see the contents and the chain

NOTE: for an Apache server, the steps are a bit different.