Dan Mahoney

ECC Cert: Chain Issues?

Discussion created by Dan Mahoney on Oct 19, 2016
Latest reply on Oct 20, 2016 by Dan Mahoney

Hey there,

 

I recently started using both an ECC (comodo) and an RSA (geotrust wildcard) cert on www.isc.org, and what we're discovering is that the level of root cert adoption is wildly disparate.

 

Case in point, Comodo's ECC intermediate certs aren't even on their site: 

 

(Knowledgebase - Powered by Kayako Help Desk Software )

 

Addiitonally, SSLLabs penalizes me for having certificate issues, because I have all the certs required for maximum visibility.

 

It's my general feeling that if your client is doing a cipher order that allows you to use ECDHE ciphers, and thus prefer our ECC certs, you should probably have a current cert bundle, but we're a somewhat visible organization, so when we break, people notice, complain on twitter, email us asking if we've been hacked, etc.

It would be nice if we could still get an "A" on ssllabs in this case -- something we could point people at and say "no, please update your browser".

 

Ivan, any ideas as to how we could get both dual-certs, and get an A?

 

-Dan Mahoney

ISC Operations Group

Outcomes