Michael Felt
2017-Aug-18 07:02 UTC
is a self signed certificate always invalid the first time?
On 8/11/2017 1:29 PM, Ralph Seichter wrote:> On 11.08.2017 11:36, Michael Felt wrote: > >> This is what Ralph means when he says "have been running a CA for >> 15+ years" - not that he is (though he could!) sell certificates >> commercially - rather, he is using an initial certificate to sign >> later certificates with. > Actually, I do sell certificates to my customers. :-) In small numbers, > and only for servers to which I have administrative access.So, not really "selling", but an additional service.> I created a > root CA and two intermediate CAs (one each for client and server certs, > respectively). > > It would be great to have my CAs added to Mozilla's NSS root certificate > store, but alas, the effort to get there is massive. Where possible, I > will add my CA certs to the customers' keystores. I also made my CA > certs available for public download, so tech-savvy users can import the > CA certs manually. > >> Again, technically, there is no difference in a self-signed 2048-bit RSA >> key, and one signed by a "major" CA. However, in the "ease of use" there >> may be major differences. > In 2015 I rolled out an updated CA which I have used ever since, with > 4096 bit keys for root and intermediary CA certs. I also only generate > 4096 bit keys for servers these days, so my cert chain is "stronger" > than those of some commercial CAs. Also, it is good to know that these > certs have never been touched by anybody but myself. I even install my > own CA cert chain on my iOS devices. > >> And, Ralph, I salute you. I have never been able to be disciplined >> enough to be my own CA. > I encourage you to look into the subject again.I actually have been, which is why I could give a near sensible reply. Thanks for the encouragement!> With the advent of Let's > Encrypt, free certs for the masses have become a thing, but if you need > more than 3 months validity, want to create certs for Intranet-devices > (routers, local servers), or just want maximum control over all certs, > setting up your own CA is rewarding. While you're at it, no gentleman > should not be without DNSSEC, DKIM and DANE these days. ;-)I should know all three, but, sadly, only one: two things to add to my list of things to research.> -Ralph
voytek at sbt.net.au
2017-Aug-18 07:12 UTC
is a self signed certificate always invalid the first time?
On Fri, August 18, 2017 5:02 pm, Michael Felt wrote:> On 8/11/2017 1:29 PM, Ralph Seichter wrote:>>> And, Ralph, I salute you. I have never been able to be disciplined >>> enough to be my own CA. >> I encourage you to look into the subject again. >> > I actually have been, which is why I could give a near sensible reply. > Thanks for the encouragement! > >> With the advent of Let's >> Encrypt, free certs for the masses have become a thing, but if you need >> more than 3 months validity, want to create certs for Intranet-devices >> (routers, local servers), or just want maximum control over all certs, >> setting up your own CA is rewarding. While you're at it, no gentleman >> should not be without DNSSEC, DKIM and DANE these days. ;-) > I should know all three, but, sadly, only one: two things to add to my > list of things to research.I have been reading this with some interest (while trying to migrate Dovecot, Postfix etc..) BUT, for a public web server where https is becoming mandatory, I'd still need a certificate from a recognized publisher, to avoid users geting 'warnings', is that so ? (I'm currently using self issued for both mail and web) thanks, V
Michael Felt
2017-Aug-18 07:45 UTC
is a self signed certificate always invalid the first time?
On 8/18/2017 9:12 AM, voytek at sbt.net.au wrote:> On Fri, August 18, 2017 5:02 pm, Michael Felt wrote: >> On 8/11/2017 1:29 PM, Ralph Seichter wrote: >>>> And, Ralph, I salute you. I have never been able to be disciplined >>>> enough to be my own CA. >>> I encourage you to look into the subject again. >>> >> I actually have been, which is why I could give a near sensible reply. >> Thanks for the encouragement! >> >>> With the advent of Let's >>> Encrypt, free certs for the masses have become a thing, but if you need >>> more than 3 months validity, want to create certs for Intranet-devices >>> (routers, local servers), or just want maximum control over all certs, >>> setting up your own CA is rewarding. While you're at it, no gentleman >>> should not be without DNSSEC, DKIM and DANE these days. ;-) >> I should know all three, but, sadly, only one: two things to add to my >> list of things to research. > > I have been reading this with some interest (while trying to migrate > Dovecot, Postfix etc..) > > BUT, for a public web server where https is becoming mandatory, I'd still > need a certificate from a recognized publisher, to avoid users geting > 'warnings', is that so ? > > (I'm currently using self issued for both mail and web)Above - Ralph added:> I also made my CA > certs available for public download, so tech-savvy users can import the > CA certs manually.Depending on your site-popularity (aka number of "random" users) you could also instruct them how to access your signing key. Once they had that, they would auto-magically, recognize any other keys you signed with your CA "roots". In other words, if the work to you to instruct users to use your CA is more expensive than using a commercial CA - save money and use a commercial CA. Before spending any money on a commercial CA - look at alternatives such as Let's Encrypt. I am also looking at http://www.cacert.org/ (That might be something for you Ralph!)> > thanks, > > V
Steffen Kaiser
2017-Aug-18 08:25 UTC
is a self signed certificate always invalid the first time?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 18 Aug 2017, voytek at sbt.net.au wrote:> BUT, for a public web server where https is becoming mandatory, I'd still > need a certificate from a recognized publisher, to avoid users geting > 'warnings', is that so ?As Michael wrote already, it's the same vor all SSL certificates, because the underlying mechanism is the same. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWZakenz1H7kL/d9rAQLV7ggAqgiz+7ttcsu4/JAHExarvu+aovhNk+Lp OqzdlME8tSnEzKUfeHmkgXR2AMAOiET4HvsU0HWsm9zwyZ24Lgxo+mJ2lN6317H2 /nlNuQDImgDB8BLTarUpucVpp7R2ppXeuy+8TPyAmagZo6kR8okkFHoMzQSDHleG gPjoBDVHq0FH6WYq25u2ts7l6L+FKEinX5T/b2hcIqnTgM129E/ak1gYZWmQm9+S bM29aHNnpV/B8uPhACXruTV3DFWW2s9wIgopgHKA0XH4g7p3DYeiXFUTyZ+e9kNN oabc56sQSd4QASpEBjsOPd8Sx3pZtiXzxZnb3yLIhjyCilwNLZA8xw==Phs1 -----END PGP SIGNATURE-----
Noel Butler
2017-Aug-18 09:22 UTC
is a self signed certificate always invalid the first time?
On 18/08/2017 17:12, voytek at sbt.net.au wrote:> BUT, for a public web server where https is becoming mandatory, I'd still > need a certificate from a recognized publisher, to avoid users geting > 'warnings', is that so ? > > (I'm currently using self issued for both mail and web) > > thanks, > > VIt depends on what you're uses are, self signed certs are OK for smtp/pop3/imap, since most people are just concerned with "encryption" in that case, but a different story if its web content, in particular, shopping carts and the like, If you have clients content, definitely use a real cert, maybe in 10 years letsencrypt might make the grade, but until every bit of software and OS supports it and they offer insurance levels like the bi boys do, you might as well be using a self signed cert, comodo are pretty cheap with basic insurance level on even the most basic of their offerings. Do your research, though if using a paid service, since some others are soon to be un-trusted. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: ------ [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20170818/b7617474/attachment.sig>
Ralph Seichter
2017-Aug-18 10:15 UTC
is a self signed certificate always invalid the first time?
On 18.08.2017 09:12, voytek at sbt.net.au wrote:> for a public web server where https is becoming mandatory, I'd still > need a certificate from a recognized publisher, to avoid users geting > 'warnings', is that so ?For a certificate to be reported as "valid", an unbroken chain of cryptographic signatures is required. Browsers are released with a set of Root CA and Intermediate CA certificates, as are operating systems. Some use the Mozilla CA Certificate Store[1], for example, others come with their own CA stores, like macOS[2]. [1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/ [2] https://support.apple.com/en-us/HT202858 Unless your web server certificate's signature chain originates from one of the CAs delivered with a web browser or OS, the end user connecting to your site will either have to manually add the required CAs, or add your server certificate, or be presented with a warning/error message. One could argue that relying on certificate stores is placing personal security concerns in other people's hands. Of course, it would be a potentially funny thing to try and verify the validity of your online banking server's certificate by asking them to send you a letter containing the certificate fingerprint... -Ralph
Reasonably Related Threads
- is a self signed certificate always invalid the first time?
- is a self signed certificate always invalid the first time?
- is a self signed certificate always invalid the first time?
- is a self signed certificate always invalid the first time?
- https and self signed