Michael Felt
2017-Aug-11 09:36 UTC
is a self signed certificate always invalid the first time?
I have looked at let's encrypt. Key issue for me is having to add a lot python stuff that would otherwise not be on any server. Again, All CA's like "Let's Encrypt" - and others that are accepted by the "majors", e.g., Windows, Mozilla make it much easier for the "random" user to use anything you protect with SSL (better TLS) without them having to grant "trust" manually. That "trust" is indicated because the CA that signed your certificate is recognized by a CA, that is recognized by CA, that is recognized by a CA in the "root-trust" list that the "majors" make available (e.g., the mozilla list available via the curl site (https://curl.haxx.se/docs/caextract.html)). Now - back to Ralph's comment: On 8/10/2017 1:42 PM, Ralph Seichter wrote:> I have been running a CA for 15+ years, generating certificates only for > servers I personally maintain. Since my business is too small to be able > to afford all the steps required to have my CA trusted by Mozilla, Apple > etc., this approach leaves me with the same problem self-signed certs > have: How can I make third party applications like web browsers or MUAs > trust the certs I created?Rather than make the mistake I did years ago by make "unique" self-signed certificates for different servers - start out with a self-signed certificate that you use as a signing certificate. This is what Ralph means when he says "have been running a CA for 15+ years" - not that he is (though he could!) sell certificates commercially - rather, he is using an initial certificate to sign later certificates with. So, his "users" only need to add the public side of his signing certificate - and any certificate he has signed meets the "chain of trust". So, if your users are "random", i.e., can come from anywhere - you may want a "major accepted/recognized" certificate authority so that you do not have to distribute your signing key. However, if your user pool is "select", or otherwise known - requiring them to use your "self-signed" CA may be a positive, rather than a negative. Again, technically, there is no difference in a self-signed 2048-bit RSA key, and one signed by a "major" CA. However, in the "ease of use" there may be major differences. And, Ralph, I salute you. I have never been able to be disciplined enough to be my own CA. :)
Florian Beer
2017-Aug-11 09:44 UTC
is a self signed certificate always invalid the first time?
On 2017-08-11 11:36, Michael Felt wrote:> I have looked at let's encrypt. Key issue for me is having to add a > lot python stuff that would otherwise not be on any server.I use acme.sh for all of my LetsEncrypt certs (web & mail), it is written in pure shell script, so no python dependencies. https://github.com/Neilpang/acme.sh
Ralph Seichter
2017-Aug-11 11:29 UTC
is a self signed certificate always invalid the first time?
On 11.08.2017 11:36, Michael Felt wrote:> This is what Ralph means when he says "have been running a CA for > 15+ years" - not that he is (though he could!) sell certificates > commercially - rather, he is using an initial certificate to sign > later certificates with.Actually, I do sell certificates to my customers. :-) In small numbers, and only for servers to which I have administrative access. I created a root CA and two intermediate CAs (one each for client and server certs, respectively). It would be great to have my CAs added to Mozilla's NSS root certificate store, but alas, the effort to get there is massive. Where possible, I will add my CA certs to the customers' keystores. I also made my CA certs available for public download, so tech-savvy users can import the CA certs manually.> Again, technically, there is no difference in a self-signed 2048-bit RSA > key, and one signed by a "major" CA. However, in the "ease of use" there > may be major differences.In 2015 I rolled out an updated CA which I have used ever since, with 4096 bit keys for root and intermediary CA certs. I also only generate 4096 bit keys for servers these days, so my cert chain is "stronger" than those of some commercial CAs. Also, it is good to know that these certs have never been touched by anybody but myself. I even install my own CA cert chain on my iOS devices.> And, Ralph, I salute you. I have never been able to be disciplined > enough to be my own CA.I encourage you to look into the subject again. With the advent of Let's Encrypt, free certs for the masses have become a thing, but if you need more than 3 months validity, want to create certs for Intranet-devices (routers, local servers), or just want maximum control over all certs, setting up your own CA is rewarding. While you're at it, no gentleman should not be without DNSSEC, DKIM and DANE these days. ;-) -Ralph
Michael Felt
2017-Aug-18 06:58 UTC
is a self signed certificate always invalid the first time?
On 8/11/2017 11:44 AM, Florian Beer wrote:> On 2017-08-11 11:36, Michael Felt wrote: >> I have looked at let's encrypt. Key issue for me is having to add a >> lot python stuff that would otherwise not be on any server. > > > I use acme.sh for all of my LetsEncrypt certs (web & mail), it is > written in pure shell script, so no python dependencies. > https://github.com/Neilpang/acme.shThanks - I might look at that, but as Ralph mentions in his reply - Let's encrypt certs are only for three months - never ending circus.
Michael Felt
2017-Aug-18 07:02 UTC
is a self signed certificate always invalid the first time?
On 8/11/2017 1:29 PM, Ralph Seichter wrote:> On 11.08.2017 11:36, Michael Felt wrote: > >> This is what Ralph means when he says "have been running a CA for >> 15+ years" - not that he is (though he could!) sell certificates >> commercially - rather, he is using an initial certificate to sign >> later certificates with. > Actually, I do sell certificates to my customers. :-) In small numbers, > and only for servers to which I have administrative access.So, not really "selling", but an additional service.> I created a > root CA and two intermediate CAs (one each for client and server certs, > respectively). > > It would be great to have my CAs added to Mozilla's NSS root certificate > store, but alas, the effort to get there is massive. Where possible, I > will add my CA certs to the customers' keystores. I also made my CA > certs available for public download, so tech-savvy users can import the > CA certs manually. > >> Again, technically, there is no difference in a self-signed 2048-bit RSA >> key, and one signed by a "major" CA. However, in the "ease of use" there >> may be major differences. > In 2015 I rolled out an updated CA which I have used ever since, with > 4096 bit keys for root and intermediary CA certs. I also only generate > 4096 bit keys for servers these days, so my cert chain is "stronger" > than those of some commercial CAs. Also, it is good to know that these > certs have never been touched by anybody but myself. I even install my > own CA cert chain on my iOS devices. > >> And, Ralph, I salute you. I have never been able to be disciplined >> enough to be my own CA. > I encourage you to look into the subject again.I actually have been, which is why I could give a near sensible reply. Thanks for the encouragement!> With the advent of Let's > Encrypt, free certs for the masses have become a thing, but if you need > more than 3 months validity, want to create certs for Intranet-devices > (routers, local servers), or just want maximum control over all certs, > setting up your own CA is rewarding. While you're at it, no gentleman > should not be without DNSSEC, DKIM and DANE these days. ;-)I should know all three, but, sadly, only one: two things to add to my list of things to research.> -Ralph
Possibly Parallel Threads
- is a self signed certificate always invalid the first time
- is a self signed certificate always invalid the first time
- is a self signed certificate always invalid the first time
- is a self signed certificate always invalid the first time
- is a self signed certificate always invalid the first time