OrganizationSSL Certificates

See also IntranetSSL

Strictly-speaking, either OrganizationSSL or IntranetSSL intermediate certificates will be used to create a chain of trust leading to a GlobalSign Root Certificate. The use of OrganizationSSL certificates for services hosted on non-public IP addresses can result in revokation of certificates.

An early option on the GlobalSign certificate request page must be selected to specify whether the certificate is for OrganizationSSL or IntranetSSL use. You must pick the choice which corresponds to the nature of the IP address of the server/service, as alluded to in the previous paragraph.

OrganizationSSL Intermediate Root Certificate

The OrganizationSSL Intermediate Root Certificate is included with every certificate issued by GlobalSign. Or, at least, it used to be. Eventually GlobalSign began including in the issuing email only references to such certificates. E.g. via https://support.globalsign.com/customer/portal/articles/1219303-organizationssl-intermediate-certificates

Every server application must be able to provide this certificate to clients. If you are replacing an existing certificate, an identical OrganizationSSL Intermediate Root Certificate is probably already correctly installed. But perhaps not. In mid-2011, GlobalSign changed from an older certificate to this one.

Some certificate configurations, for example Sendmail SMTP server and Dovect IMAP server, seem to allow this intermediate certificate to be included in the same fila as the host certificate.

While this results in some redundancy in that extra copies of the intermediate certificate are stored, it probably makes for easier updates in general; just replace both certificates with the new ones received from GlobalSign. Plans to put the intermediate certificate in a keychain file such as /software/sslCerts/config/certs/cacert.pem were perhaps misguided, being based in part on older practice where intermediate certificates were not used.

Perhaps See

• http://www.globalsign.com/support/intermediate/about-intermediates.php

That link is now broken

Search: organizationSSL

• OrganizationSSL under CertMaintenanceCollapsed
• OrganizationSSLOld under OrganizationSSL

Here is the actual certificate (current version) of which we speak. Complete with comment expansion such as openssl x509 -text would provide.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:00:00:00:00:01:2f:4e:e1:42:f9
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
        Validity
            Not Before: Apr 13 10:00:00 2011 GMT
            Not After : Apr 13 10:00:00 2022 GMT
        Subject: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - G2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:dd:35:1d:f2:20:54:26:1a:d0:ef:a5:6f:81:76:
                    59:70:dc:e7:f4:d4:03:24:1f:24:0e:9d:22:9f:d4:
                    27:32:7a:2b:7c:ee:8b:e3:61:62:38:17:af:b4:4b:
                    7a:9f:67:21:1c:2d:95:54:ba:79:ba:b6:c4:f2:0d:
                    21:74:17:67:74:e2:b1:64:08:99:60:78:fb:67:c2:
                    4b:f7:27:8d:6f:36:76:cf:31:8c:e5:f1:06:d7:dc:
                    57:0e:5b:ac:ee:ce:2d:ab:aa:a9:70:2f:02:86:c8:
                    b1:d0:08:07:95:ea:2a:ec:d1:9e:e4:36:5c:3b:a6:
                    36:b5:43:8b:ab:f7:8e:3e:00:1b:ff:85:59:6b:62:
                    01:8d:82:e8:4a:ba:38:b3:e0:c3:f4:6d:19:a7:ea:
                    05:dd:84:67:c2:66:c7:24:02:73:5a:b5:ee:a4:19:
                    d9:fc:00:ce:b6:a4:8d:df:7e:bd:5f:b2:3a:9d:84:
                    31:4f:c8:63:0c:e4:d8:0d:52:a3:7e:01:1b:d4:67:
                    a5:18:28:eb:01:a7:82:3c:d9:8e:1d:e5:47:0d:ba:
                    8b:59:14:a3:1f:1f:4b:ea:e2:27:46:86:ce:9d:39:
                    c4:66:41:a7:e2:15:23:6b:56:47:c1:ed:c5:53:e4:
                    d4:80:1f:6b:fa:80:46:98:b2:09:a6:0f:95:be:66:
                    88:93
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier: 
                5D:46:B2:8D:C4:4B:74:1C:BB:ED:F5:73:B6:3A:B7:38:8F:75:9E:7E
            X509v3 Certificate Policies: 
                Policy: X509v3 Any Policy
                  CPS: https://www.globalsign.com/repository/

            X509v3 CRL Distribution Points: 
                URI:http://crl.globalsign.net/root.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.globalsign.com/rootr1

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, Microsoft Server Gated Crypto
            X509v3 Authority Key Identifier: 
                keyid:60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B

    Signature Algorithm: sha1WithRSAEncryption
        73:7a:ec:01:2c:17:22:91:9a:ca:b1:67:18:a2:ba:c8:05:89:
        92:24:de:1f:b8:ab:44:9f:f7:40:55:65:f2:e0:f4:2e:c7:de:
        b0:3f:99:15:1f:95:70:82:e9:9b:4a:64:24:20:16:f0:76:17:
        d2:1b:fe:ac:fa:06:b4:77:cf:98:d8:2a:ec:57:15:d8:5e:4e:
        dd:8b:96:e1:53:33:19:91:d5:84:6e:25:ef:0f:cb:ad:bf:db:
        4b:6b:56:cc:b5:d4:40:3e:26:5e:b6:59:f4:c5:90:c9:09:c4:
        84:df:bc:26:7d:82:e9:eb:f4:5b:fc:c8:15:de:09:18:45:86:
        b3:8b:4d:c7:6b:35:27:9b:60:f6:a4:5a:2a:58:49:b1:d8:35:
        43:c6:32:bb:5e:3b:c4:4a:21:c1:a0:3b:5e:c1:23:a9:ce:db:
        d5:ba:fe:5d:6d:fd:00:7e:fa:f1:94:37:61:b9:00:39:66:96:
        a9:9c:b4:1e:11:ef:55:d8:b4:d8:b0:c4:a5:ae:32:0a:2f:f8:
        2d:f4:a2:a7:ff:36:d3:5e:63:8b:4e:12:f7:b5:28:80:75:ee:
        94:2f:70:a0:56:77:39:aa:39:97:17:fc:00:f3:cf:66:e7:a2:
        71:92:ab:05:9b:73:2e:7a:e7:e7:21:59:09:8d:30:a1:ac:5c:
        ca:19:7a:f8
-----BEGIN CERTIFICATE-----
MIIEizCCA3OgAwIBAgILBAAAAAABL07hQvkwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
MDBaFw0yMjA0MTMxMDAwMDBaMF0xCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMTMwMQYDVQQDEypHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW
YWxpZGF0aW9uIENBIC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDdNR3yIFQmGtDvpW+Bdllw3Of01AMkHyQOnSKf1Ccyeit87ovjYWI4F6+0S3qf
ZyEcLZVUunm6tsTyDSF0F2d04rFkCJlgePtnwkv3J41vNnbPMYzl8QbX3FcOW6zu
zi2rqqlwLwKGyLHQCAeV6irs0Z7kNlw7pja1Q4ur944+ABv/hVlrYgGNguhKujiz
4MP0bRmn6gXdhGfCZsckAnNate6kGdn8AM62pI3ffr1fsjqdhDFPyGMM5NgNUqN+
ARvUZ6UYKOsBp4I82Y4d5UcNuotZFKMfH0vq4idGhs6dOcRmQafiFSNrVkfB7cVT
5NSAH2v6gEaYsgmmD5W+ZoiTAgMBAAGjggFQMIIBTDAOBgNVHQ8BAf8EBAMCAQYw
EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUXUayjcRLdBy77fVztjq3OI91
nn4wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSGImh0
dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEEMTAv
MC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290cjEw
KQYDVR0lBCIwIAYIKwYBBQUHAwEGCCsGAQUFBwMCBgorBgEEAYI3CgMDMB8GA1Ud
IwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3DQEBBQUAA4IBAQBz
euwBLBcikZrKsWcYorrIBYmSJN4fuKtEn/dAVWXy4PQux96wP5kVH5VwgumbSmQk
IBbwdhfSG/6s+ga0d8+Y2CrsVxXYXk7di5bhUzMZkdWEbiXvD8utv9tLa1bMtdRA
PiZetln0xZDJCcSE37wmfYLp6/Rb/MgV3gkYRYazi03HazUnm2D2pFoqWEmx2DVD
xjK7XjvESiHBoDtewSOpztvVuv5dbf0AfvrxlDdhuQA5ZpapnLQeEe9V2LTYsMSl
rjIKL/gt9KKn/zbTXmOLThL3tSiAde6UL3CgVnc5qjmXF/wA889m56JxkqsFm3Mu
eufnIVkJjTChrFzKGXr4
-----END CERTIFICATE-----

-- AdrianPepper - 23 Nov 2011