On Mon, Sep 12, 2011 at 11:39 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On Mon, Sep 12, 2011 at 7:08 AM, Coy Hile <coy.hile@coyhile.com> wrote:
As an academic aside, exactly what would one set on his (internal) root CA so that internally-trusted certs signed by that CA would show up as EV certs?
This is not possible without changing browser source code and recompiling (or debugging/editing the browser binary). The IDs of certificates that are allowed to sign EVSSL CAs are hard-wired in the browser. In some browsers, this also means it's impossible for an end user to "untrust" or remove an EVSSL CA.
It also means you cannot as a site adminsitrator, make an administrative decision to internally add an internal EVSSL CA, without customizing every browser.
If you ask me... it's shoddy software design. EVSSL CAs should be configurable, but none of the major browsers provide the knobs to manually add or remove EVSSL access to/from a trusted CA.
Thanks. I saw something about it on TechNet. (I'm using Windows for my internal CA). I'm guessing those instructions may work for IE only. If I find anything interesting, I'll let you know.