I may have been under a rock lately. I saw on Reddit that Microsoft Internet Explorer 8 supported StartSSL certificates. So as a goof I signed up at https://www.startssl.com/ and applied for a free server certificate.
I generated via their web page a certificate for blog.dembowski.net, installed it on my apache server and started using it. Firefox complained that I’m not certified as I have not validated who I am. That’s reasonable and very X.509v3 of them.
Internet Explorer 8 used the SSL cert for my server without a single hiccup. Other than my WordPress mixes http and https on the same page, there were no complaints. Internet Explorer just used the SSL cert without any problems.
I use SSL certs for privacy and not for identity, so self-signed SSL certs that I have generated are no big deal for me. But having a Microsoft browser not complain about my SSL web site is surreal.
Edit: Oh. Turns out you also need to follow these instructions too. I added SSLCertificateChainFile to my conf and on my other laptop Firefox does not complain at all now. Chrome works like a charm too.
How did I find out about my misconfiguration? Because I recieved this e-mail from StartSSL this morning:
This mail is intended for the person who owns a digital certificate issued by the StartSSL™ Certification Authority (http://www.startssl.com/).
It seems, that the installation of your server certificate with serial number 45568 for blog.dembowski.net is not complete! You should add the intermediate CA certificate to your installation. This is important, because most browsers will issue an error if this is not properly done. Please consult the installation instructions at http://www.startssl.com/?app=20 on how to do that. The missing certificate can be obtained from http://www.startssl.com/certs/sub.class1.server.ca.pem
—
Best Regards
StartCom Ltd.
StartSSL™ Certification Authority
So after I applied for a cert, they reached out to check if I installed it correctly. For Free. How cool is that?
