Just had to deal with a total swap out of all of my SSL certificates at work thanks to the ipsCA screwup that also nailed Bob Plankers and Chris Siebenmann and I’m sure lots of other sites (especially .edu). I’m really peeved too, but rather than hissing and spitting like I really feel like doing, let me pass on a few SSL resources that I found useful while debugging the new chained certs we started using:
- Debian’s SSL keys page is a lovely resource for where and how each common open source package keeps its particular SSL-related configs. Your file system locations may vary but this at least gives you a start for the 30+ packages they list
- UnixCraft’s How To Verify SSL Certificate From a Shell Prompt is a swell tutorial on the various openssl command line options you can use to debug certs.
- Paul Heinlein’s OpenSSL Command-Line HOWTO is a great HOWTO for all sorts of openssl operations.
- The OpenSSL verify manual page lists the error messages you might get when attempting to verify, for example, a chained cert.
- SSLShopper.com, in addition to being a good place to compare certificate authorities, has a surprising amount of really good technical information about all things SSL. For example, The Most Common Java Keytool Keystore Commands and The Most Common OpenSSL Commands are genuinely useful.
Hope this are helpful to you should you get put in the same bind.