[CentOS] Self-signed certificates
Thomas E Dukes
edukes at alltel.net
Tue Jan 24 01:44:49 UTC 2006
> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of Jim Perrin
> Sent: Monday, January 23, 2006 8:26 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Self-signed certificates
>
> > > There is one way to get name-based hosting to work with
> individual
> > > certificates and not get name mismatch errors, and that's
> to set up
> > > the secure site on a different port. And I don't
> recommend that if
> > > anyone is ever going to have to type the URL into a
> browser; people
> > > just get confused. My recommendation is to only do that if the
> > > connection is only by link.
> > >
> >
> > Maybe that's what I need to do as these are not really
> 'public' sites
> > and are only used for my purposes (mail). How would you declare
> > port(s) 444, 445, 446, etc., as a secure/SSL site?
>
> This is done in the vhost statement itself.
> notice the :443's in /etc/httpd/conf.d/ssl.conf file in the
> <VirtualHost foo:443> and possibly also on the Listen :443 line.
> You'd just create another one on 444, or 445, etc.
>
> Again, it's possible to do this GLOBALLY for your domain with
> a top level ssl cert.
> If you create a cert for *.palmettodomains.com then you'll be
> able to use this cert for ANY subdomain of
> palmettodomains.com without problem. If people look closely
> at the cert, it will show *.palmettodomains.com, but it will
> not generate browser errors for people connecting. There are
> several institutions that have gone to certs like this to
> avoid paying the verisign extortion fees etc.
Exactly!!! Couldn't have said it better! They must be paying off some
folks some big bucks to have their names on a list browers recognize without
causing the "Security Alert".
I'm not trying to be cheap but this is a crock! 128 bit is 128 bit!
Browsers should be able to recognize the encryption method, not the name. I
mean, that's what its all about.
>
> fnal.gov even has a tutorial of sorts incorporating simple
> globbing into their ssl certs
> (http://www.fnal.gov/docs/products/apache/SSLNotes.html).
I'll check it out.
Thanks!!
>
> --
> Jim Perrin
> System Architect - UIT
> Ft Gordon & US Army Signal Center
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list