We needed to set up a new website to support Aton International’s service customers.  This website needed to be secure, as it contains proprietary data.  For a variety of business and technical reasons, we settled on site architecture based on Plone / Zope / Apache SSL / Ubuntu Server.   Bringing up this stack proved to be straightforward.  The only thing that was missing was an SSL certificate based on a widely accepted root certificate.

For the initial installation of our website, we used a self generated SSL certificate.  This  type of certificate Is useful for internal testing, but not for general use with our clients.  Every time I would connect to the website,  the Internet browser would complain of an unknown certificate.  Although this warning can be dismissed, it would not inspire confidence from our customers.  The warning message can be avoided by installing the self generated certificate into the browser, but asking the customer to  do that was not an  option.

Buying an SSL Certificate from a Public Certification Authority

The  alternative is to buy an SSL certificate from a  public certification authority.  The root certificates for  a number of public certification authorities are built into every web browser, or more accurately, the operating system that supports the web browser. Use of an SSL certificate on the server based upon a root certificate embedded into the web browser eliminates the warning messages when accessing your secured web site.

Public SSL root certificates are also included in all versions of Windows Mobile Pocket Internet Explorer starting with Windows Mobile 2003 and following editions.   Only partial SSL support was built into Windows Mobile 2002 Pocket PC and Smartphone.

Because we offer several software products for Windows Mobile, we wanted our customers to have the ability to access this website from Windows Mobile phones in addition to the desktop. But, narrowing  down all of the available commercial SSL certificate options to get the “right” one proved to be a bit challenging.

The relatively large number of SSL certificate authorities from a few years ago has dwindled down to about three through business mergers and acquisitions.  Some of these authorities are more generally recognized by users, and thus may instill more confidence in your website security.  Each of the SSL certificate authorities have a large number of affiliated resellers, who offer a very wide range of prices for the same product.

Levels of Security

Another dimension is how deeply the certificate authority investigates your request before issuing your certificate.  The most basic level simply checks that you are authorized to obtain SSL certificates for your domain name.  This means that a customer can be assured that their browser is connecting with your server, not a bogus server operated by someone else.

For an e-Commerce web site that directly offers products for sale,  the next level of certificate, issued only after the certificate authority does basic business record checking, is appropriate.  The third level of certificate, where the authority does an extended background check of your business, rewards your URL with a green bar on Internet Explorer.

We opted for the first level of certificate for this website. Since our customers have already used other means to determine that they want to do business with us. Our online product sales are handled through a different website.

Which SSL Certificate?

Each certificate comes with snippet of HTML code that you can place on your web pages to generate a visible logo describing what level of SSL certificate is in use.  These logos vary, and can include a real time check back to the certification authority before display to help prevent spoofing of the logo.

The more checking the certificate authority does to validate the use of the certificate, the higher the cost.  SSL certificate prices range from under $100 to beyond several thousand dollars.  The least expensive certificates are useful for only one domain address, such as [www.domainname.com].

If you then want to secure a second domain name, such as [extranet.domainname.com], you will need to purchase another certificate.  You can purchase certificates useful for a fixed number of domain names, such as four, or a “wildcard” SSL certificate where you can substitute any name for the ” * ” in [*.domainame.com].

For a simple website, the inexpensive domain verification SSL certificate may be all that is required. This is what we chose.

So  we are done now, right?  Not quite.

Which Root Certificate Authority?

The next question is, “Which root certificate authority is the SSL certificate based upon?”  The major web browsers, such as Firefox and Internet Explorer can access a wide variety of root certificates installed in the operating system.  Mobile phones contain a smaller subset of these root certificates.

If you buy the “wrong” certificate for your server, it can be securely browsed by the desktop or workstation web browser, but not by a mobile phone.  This is because the root certificate for your certificate is not installed on the phone.  You might be able to manually install this certificate on the mobile phone, but it is much easier to buy the “right” certificate based upon a root certificate already built into the phone.

Some diligence is needed to ferret out exactly what root authority will be associated with your certificate.  Some of the vendors of web site certificates simply say something like “works with 99% of all web browsers”.  Others will tell you exactly what root authority is being used.  We liked the depth of information provided on the site http://www.trustico.com.  They tell you explicitly the name of the root in the section “Who Will Be The Certification Authority” for each of their SSL certificate products.

This information is crucial. It allows you to see that the root authority for the QuickSSL Premium product is “Equifax Secure Certificate Authority”, whereas the less expensive QuckSSL Basic product is “Equifax Secure Global eBusiness CA-1”.  The “Equifax Secure Certificate Authority” root certificate is included in Windows Mobile phones, whereas “Equifax Secure Global eBusiness CA-1” is only present on desktop operating systems.

For Windows Mobile 2003 and  later version phones,  the list of root certificates can be seen in the Certificates applet, which is accessed by clicking “Start | Settings | System | Certificates | Root”.  The list  of all root certificates currently installed on the phone will be displayed.

List of Root Certificates Installed on Windows Mobile Phones

The list of root certificates installed on Windows Mobile phones has expanded over time.

For Windows Mobile 2003 and 5.0, the list is:

• Class 2 Public Primary Certification Authority
• Class 3 Public Primary Certification Authority
• Entrust.net Certification Authority (2048)
• Entrust.net Secure Server Certification Authority
• Equifax Secure Certificate Authority
• GlobalSign Root CA
• GTE CyberTrust Global Root
• GTE CyberTrust Root
• Secure Server Certification Authority
• Thawte Premium Server CA
• Thawte Server CA

For Windows Mobile 6.0 and 6.1, the list has been expanded to include:

• http://www.valicert.com (also available on some versions of Windows Mobile 5.0)
• AAA Certificate Services
• AddTrust External CA Root
• Baltimore CyberTrust Root
• GeoTrust Global CA
• GoDaddy Class 2 Certification Authority
• Starfield Class 2 Certification Authority

One item was deleted from the original Windows Mobile 2003 list:

• GTE CyberTrust Root

Selecting an SSL Certificate Vendor

Armed with all of this information, it was time to select an SSL Certificate Vendor.  We liked GeoTrust’s reputation and settled on their QuickSSL product because we needed the certificate quickly, and only needed to verify our domain for our customers on our simple website.  The GeoTrust QuickSSL  Premium product will support mobile phones (it is based on the “Equifax Secure Certificate Authority” root), whereas the QuickSSL Basic product will not support mobile phones (it is based on the “Equifax Secure Global eBusiness CA-1” root).

The list price for  GeoTrust QuickSSL Premium product is $299, but this same certificate can be found deeply discounted at other sites.  We chose Trustico, where the product was available for $89.  The  Trustico site had a  wealth of technical information,  with step by step instructions for  extracting the CSR or Certificate Signing  Request for  most of the common web server arrangements.

After following the instructions for generating the CSR file, the process of ordering the certificate was straightforward.  The only catch was at the end, where after a long pause we were told the order was “queued for manual  review”.  We ordered the certificate Saturday evening, but did not actually receive it  until Monday morning.

Installing the SSL Certificate on Ubuntu

While installing the certificate on the Ubuntu server, we encountered two problems. One was that the certificate was generated for the external DNS name of the server, whereas the hosts file on the Ubuntu server only contained the local  name of the server.  This caused a startup error message from Apache, saying  “Starting web server apache2 apr_sockaddr_info_get() failed” and defaulting to localhost as an address.  Adding the external DNS name of the server to the hosts file resolved that problem.

The second problem — a passphrase is encrypted into the certificate as purchased from the SSL Certificate vendor.  This means that every time Apache is started, it attempts to ask the operator for the passphrase and fails to start if the passphrase is not entered.  I resolved this by generating a new private key file for the certificate that has the passphrase removed.  This was accomplished using a single command line on the Ubuntu server:

• openssl rsa -in key.pem -out keyout.pem

The file keyout.pem serves the same function as key.pem, but requires no passphrase.  As you might expect, during the execution of this command, it will ask you for the passphrase before removing it from the private key file.

Once these two fixes were made, Apache started up with our new SSL certificate.  Logging on to our new website now happens with no browser error messages and with the lock symbol displayed.  Windows Mobile Pocket Internet Explorer also is able to log onto our customer support website and display the session lock symbol.

Mission accomplished!

Charles Wilde, Consulting Software Architect/Developer and Founder of Aton International, Inc., is a mobile/embedded system veteran with 25+ years of successful application development experience. As time permits, he’ll answer your tough questions about mobile app development or Windows Mobile to help you complete a project successfully.

To contact Charles Wilde, go to the Aton International, Inc website

© 2008  Charles A. Wilde   All Rights Reserved