On Fri, June 17, 2016 11:06, Walter H. wrote:
On 17.06.2016 16:46, James B. Byrne wrote:
On Thu, June 16, 2016 13:53, Walter H. wrote:
On 15.06.2016 16:17, Warren Young wrote:
but it also affects the other public CAs: you canât get a publicly-trusted cert for a machine without a publicly-recognized and -visible domain name. For that, you still need to use self-signed certs or certs signed by a private CA.
A private CA is the same as self signed;
No it is not. A private CA is as trustworthy as the organisation that operates it. No more and not one bit less.
We operate a private CA for our domain and have since 2005. We maintain a public CRL strictly in accordance with our CPS and have our own OID assigned.
for your understanding: every root CA certificate is self signed; any SSL certificate that was signed by a CA not delivered as built-in token in a browser is the same as self-signed;
For your understanding, a self-signed certificate is one that has been signed by itself. Naturally ALL root certificates are self-signed. The self-signed root cert is then used to sign a subordinate CA issuing cert and that issuing cert is used to sign other subordinate CAs and / or end-user certs depending upon the permissions given it by the original signing certificate. This establishes the certificate trust chain.
If website presents an actual self-signed cert to Firefox for example, it will refuse it. I suppose there is a way to circumvent this behaviour but I am not aware of it. If you present a certificate that is not self-signed but is signed by an authority whose root certificate chain is not in the trusted root store then Firefox gives you a warning -- as given in a preceding message 'net::ERR_CERT_AUTHORITY_INVALID' -- but it none-the-less allows you to accept the certificate as an exception and proceed to the website.
If you do not want to get warnings and you trust the issuer then you can add their issuing CA cert chain to your trusted root certificate store.