If I generate new CA and server certs with RSA keys that are greater than 2048 bits, and use SHA2, is there *anything* else (other cert attributes) I should take care to set, or not set, to ensure it's (a) secure by today's standards, and (b) avoiding complaint from Firefox
Cork: OK, I'll see what I can do for you.
Ah, I know.
Cork: If you trust this CA: http://sprunge.us/ONhB, then browse to https://cengia.id.au, you should see the same issue. Different cert/ca pair, and different server, but probably generated with similar settings, and definitely has the same error returned to the user by Firefox