Commercial SSL certs and NetTalk Web Server

#1

Posted in the newsgroups by Jane Fleming:

If you’re trying to take a PFX file from a commercial source and split
that into unencrypted key and certificate files for use with NT, you
can download OpenSSL and use these commands:

Openssl pkcs12 --in MyDomain.pfx --nocerts --out MyDomainEncrypted.key
Openssl rsa --in MyDomainEncrypted.key --out MyDomain.key
Openssl pkcs12 --in MyDomain.pfx –clcerts -nokeys --out MyDomain.crt

Note: my newsreader (or Jane’s) appeared to mess with the double - in these commands, so you might have to tinker a bit.

More from Bruce:

An old discussion of certificates, and batch files can be found here;
https://www.capesoft.com/docs/NetTalk9/NetTalkWebSecure.htm

Can’t get the Certificate and RSA key files generated correctly.
Using Trusted Certificate from Go Daddy on my server.

https://www.capesoft.com/docs/NetTalk9/NetTalkWebSecure.htm#CreateCertificateSigningRequest

#2

Actually, you don’t need to download it. OpenSSL.Exe is in your \clarion\accessory\bin folder - and also most likely in your application folder as well.

#3

One other point worth mentioning - there’s no difference between commercial and free certificates (other than the money spent.) Technically they are exactly the same thing [1].

[1] There are actually two “kinds” of certificates - Domain Verified and Extended Certification. Free certs are all Domain verified - and traditionally most paid-for certificates were domain verified as well.

When the free version of DV certificates first appeared (and gutted the commercial certificate market) the folks selling certificates made a big push for Extended Verification. However while EV certificates cost more, they are now invisible tot he end user, so serve no function (other than costing more.)

See;



https://groups.google.com/a/chromium.org/g/security-dev/c/h1bTcoTpfeI/m/jUTk1z7VAAAJ
https://groups.google.com/g/firefox-dev/c/6wAg_PpnlY4

Given the well-documented flaws in the actual “E” part of the EV process, (one of the reasons browsers put so little stock in differentiating them from DV certificates), EV has never been much more than a plain money grab. With no remaining UI indications to a user whether the cert is DV or EV even the nominal pretensions are gone.

2 Likes
#4

The only thing I know you need an EV cert for is cross-signing of Windows kernel drivers for Win10, but I suspect that’s nothing that will interest a Clarion developer. As far as web sites go most users don’t know or care about certificates until something breaks.

#5

Site owners may / should care because a lack of HTTPS impacts SEO.