On 17.06.2016 16:46, James B. Byrne wrote:
On Thu, June 16, 2016 13:53, Walter H. wrote:
On 15.06.2016 16:17, Warren Young wrote:
but it also affects the other public CAs: you can’t get a publicly-trusted cert for a machine without a publicly-recognized and -visible domain name. For that, you still need to use self-signed certs or certs signed by a private CA.
A private CA is the same as self signed;
No it is not. A private CA is as trustworthy as the organisation that operates it. No more and not one bit less.
We operate a private CA for our domain and have since 2005. We maintain a public CRL strictly in accordance with our CPS and have our own OID assigned.
for your understanding: every root CA certificate is self signed; any SSL certificate that was signed by a CA not delivered as built-in token in a browser is the same as self-signed;