On Jun 15, 2016, at 8:02 AM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
I do not see neither starttls.com http://starttls.com/ nor letsencrypt.org http://letsencrypt.org/ between Authorities certificates. This means (correct me if I'm wrong) that client has to import one of these Certification Authorities certificates, otherwise server certificate signed by one of these authorities is on the same page with my private Certification Authority (which I used to run for over 10 years, then in my kickstart I had my CA certificate imported into CA of clients - but other clients, like laptops had to download, install and trus my CA certificate). Of course, this is a notch better than "self-signed" server certificates, as you only need to import CA certificate once, whereas you will need to import self-signed server certificates for each of the servers...
For my personal needs I use free StartSSL certs and the authority appears as StartCom, Ltd. in Firefox.
In my experience it is already a trusted authority in most/all browsers. At least I didn’t have to manually trust it, and I haven’t run into one that complains about it.