0

I've set up my SSL certificate following the instructions at http://splittingelectrons.wordpress.com/2012/02/24/how-to-configure-an-ssl-certificate-for-apache-on-amazon-ec2/

I've checked my website on multiple SSL checkers and everything is OK, but when I visit the page in FireFox, I get https:// but with a globe instead of a green padlock. Refreshing the page gives a grey padlock.

When I click on the globe (before refreshing to the grey padlock), a dialog pops up saying "This website does not supply identity information. Clicking "more information" shows "Owner: This website does not supply identity information. Verified by: Not specified."

After refreshing, clicking on the grey padlock still shows the "Owner: Not specified" but at least does say "Verified by GeoTrust."

Any idea what's going on here and how to get this right so everyone will see a green padlock? Did I mess up something with my CSR request?

Thanks.

Alex
  • 1
  • 1
  • 1

2 Answers2

1

There exists a class of SSL certificates known as "extended validation" (EV) certificates. The extended validation process involves significantly more stringent checks on the identity of the CSR issuer than a simple "yes, we've seen this public key" SSL certificate, and they cost consequently significantly more than a straight SSL certificate. Firefox indicates the presence of such a certificate by showing a green padlock instead of a grey one.

You didn't tell us what kind of SSL certificate you bought, nor do you give us your URL, so we can't check, but I suspect the underlying problem is that you will need to pay extra for an EV certificate if you want to get the green padlock in Firefox.

Wikipedia notes that

Browsers with EV support display more information for EV certificates than for previous SSL certificates. Microsoft Internet Explorer 7, Mozilla Firefox 3, Safari 3.2, Opera 9.5, and Google Chrome all provide EV support.

though as Michael has clarified, it seems to be only Firefox that uses the green padlock specifically for EV certificates.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • That's just how Firefox does it. In Chrome the padlock is always green regardless of certificate type, providing there aren't other problems. – Michael Hampton Sep 02 '13 at 16:14
  • Fair enough, and thank you for that. I have amended my answer slightly, but since the OP specifically mentions Firefox, I think this makes it even more likely that we've hit on the issue. – MadHatter Sep 02 '13 at 16:16
  • Distinguishing an EV certificate is easy, as all browsers show a reverse-color bar containing the name of the entity to whom the certificate was issued. – Michael Hampton Sep 02 '13 at 16:24
1

Firefox's SSL indicator icon (in the default skin, if not all) is always grey for standard certificates.

All a standard certificate proves is that it was signed for a given name (or group of names) - to include proof of identity/ownership information in what gets signed then you need to pay for an EV ("extended validation") certificate (sometimes called a "high assurance certificate") which costs considerably more, takes more hassle to arrange, and provides little or no benefit in most cases (see http://en.wikipedia.org/wiki/Extended_Validation_Certificate#PKI-Me-Harder).

Having an EV certificate will get you a green icon in Firefox, along with the name and country short code next to it in the address bar, as seen on some sites such as https://paypal.com). Whether that is worth the extra cost+time for your target audience is something that only you can judge accurately (though note that many a high-profile site doesn't bother, https://microsoft.com and https://facebook.com to name two). In my experience the two groups of sites that generally bother with EV certs are those that deal with money in some way (banks, payment processors, online stores that handle their own credit card processing) and those that sell EV certificates.

David Spillett
  • 22,754
  • 45
  • 67