[CentOS] self signing certificates

James B. Byrne byrnejb at harte-lyne.ca
Mon Aug 24 23:59:03 UTC 2009 

> From: Jerry Geis <geisj at pagestation.com>
> To: CentOS ML <centos at centos.org>
> Sent: Monday, 24 August, 2009 14:32:00
> Subject: [CentOS] self signing certificates
>
> hi all,
>
> I have gone through the process of self signing certificates.
> Aside from the pop-ups about not trusted etc... everything
> appears to work.
>
> For "internal" applications what do people/places do?
> It would be nice to be seamless and have the "your not trusted"
> window pop-up.
>

As someone else previously detailed, you really need to have a root
signing CA that only signs certs for your issuing CAs and then use
the issuing CAs to sign end use certificates of whatever types you
deem appropriate.  It is considered required practice that root CA
and issuing CAs must be physically isolated from all network
connections and that floppy or sneaker net must be used to handle
incoming CSR and outgoing CERTS.  If you are simply using certs for
encryption and not for authentication then this practice probably
can be safely dispensed with.  If you ARE using certs for
authentication then this provision is absolutely required.

The arrangement of self-signed root CA <--CSR--- Issuing CA
<--CSR--- end-user is now critical for Firefox users. Releases in
the 3.x series will no longer trust any self-signed CA certificate.
So, to avoid the warning box in Firefox you must have the end use
certificates signed by an intermediate CA whose own certificate may
however be signed by a self-signed root.

> Yet this is not a public web site either. Just internal use.
> The server might be on the internet but people from the internet
> are not using it.
>

Well, the available software has no way of figuring that out for
itself, so it makes no difference. And, to be precise, "people from
the internet should not be using it", which is rather a different
thing.

> I presume there is no way to by-pass the certificate signing
> process - even for internal apps.
> Is there?
>

Not unless you can live with the warning boxes.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the CentOS mailing list