Hiya, I have some questions that have cropped up as I've come round to renew my domain certificates.
1) Although the cert works as an SSL cert, the 'Organiztion' name displayed for my certificates has gone from being the domain name itself to 'Persona Not Validated'. Is this a policy change by StartSSL, or have I done something differently this time?
2) Why is the .crt file at http://www.startssl.com/certs/ca-bundle.crt
apparently unencrypted and readable in a text editor, but the crt file at eg. http://www.startssl.com/certs/sub.class1.client.ca.crt
It's not encrypted, it has a different encoding. For historical reasons the CA Bundle has been kept in PEM format, whereas the certificates are either DER encoded (.crt) or PEM encoded (.pem).
3) CA bundles. This is a confusing topic. Essentially, as I understand it, they are a bunch of certs, just copy/pasted together in one file. However, I have discovered a couple of different StartSSL CA bundle files that I had stored (and was using) on my server. One seems to have lots of (useful?) descriptive information above each cert, and the other just has the certs. Here are the two:http://www.game-point.net/misc/startcom1.cabundle.txthttp://www.game-point.net/misc/startcom2.cabundle.txt
Now, your latest version of the StartCom CA bundle at http://www.startssl.com/certs/ca-bundle.crt
seems to be a lot more similar to the startcom2 CA bundle I had lying around. Where would I have got hold of the nicer (to the human eye, anyway) startcom1 one?
The former bundle is from our old CA root and not in use anymore. The later is from the current CA root and is kept in a compacter form. You can use OpenSSL to display the content nicely:
openssl x509 -text -noout -in ca-bundle.crt