[linux-elitists] SSL security certificates

mike@jurney.org mike@jurney.org
Thu Apr 10 15:30:05 PDT 2003


On Thu, 10 Apr 2003, Modus Operandi wrote:

>     As far as I can tell, the only problem with self-signed certs is
>     that the first time a browser encounters one, the user is warned
>     that the cert cannot be verified to be trustworthy. Once the user
>     decides they trust the cert, the message goes away and the SSL
>     does its magic. I've seen this behavior when using squirrelmail to
>     check my mail at woozle.org -- it doesn't bother me because I trust
>     WoozleWorks, but if I were setting up a site to do business with the
>     public, I might be more concerned about violating the web of trust.

An ssl certificate provides two distinct capabilities:  Authentication of
the remote server and Encryption with the remote server.  Any self-signed
certificate can provide you with the encryption.  It's the authentication
that you pay for with someone like Verisign.  They put their stamp on our
cert to let other people know that Verisign has checked you out and done
their best to say you are who you claim to be.

>     On the other hand, self-signed certs are free, while VeriSign
>     charges an arm and a leg ($500 - $1,000) annually. There are plenty
>     of other cert authorities out there -- Thawte, Entrust, Comodo and
>     dozens of others -- but what makes one more "trustworthy" than
>     another? Where can I find a good, secure cert that will be accepted
>     by browsers without complaints?

One cert is as secure as another in terms of line-encryption, but the
Certificate Authority that signs the certificate you have has to be in the
Root CA Bundle that ships with the end-user's browser if you don't want
the user to have to click through anything.  Any certificate that appears
in there will be accepted without requirin the user to specifically
approve it.  In mozilla you can see the contents of the Root CA Bundle
via:

Edit -> Preferences -> Privacy and Security -> Certificates -> Manage
Certificates -> Authorities tab.

>     And if I decide to go the self-signed route, what's a good resource
>     to show me the quick and dirty way of rolling my own 128-bit cert?

http://slacksite.com/apache/certificate.html

I just googled for 'openssl generate self-signed ssl certificate', but
this page seems to cover what you need to do pretty well.

-- 
Michael D. Jurney
mike@jurney.org




More information about the linux-elitists mailing list