[CentOS] Self-signed certificates

Tue Jan 24 01:44:49 UTC 2006
Thomas E Dukes <edukes at alltel.net>

 

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Jim Perrin
> Sent: Monday, January 23, 2006 8:26 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Self-signed certificates
> 
> > > There is one way to get name-based hosting to work with 
> individual 
> > > certificates and not get name mismatch errors, and that's 
> to set up 
> > > the secure site on a different port.  And I don't 
> recommend that if 
> > > anyone is ever going to have to type the URL into a 
> browser; people 
> > > just get confused.  My recommendation is to only do that if the 
> > > connection is only by link.
> > >
> >
> > Maybe that's what I need to do as these are not really 
> 'public' sites 
> > and are only used for my purposes (mail).  How would you declare 
> > port(s) 444, 445, 446, etc., as a secure/SSL site?
> 
> This is done in the vhost statement itself.
> notice the :443's in /etc/httpd/conf.d/ssl.conf file in the 
> <VirtualHost foo:443> and possibly also on the Listen :443 line.
> You'd just create another one on 444, or 445, etc.
> 
> Again, it's possible to do this GLOBALLY for your domain with 
> a top level ssl cert.
> If you create a cert for *.palmettodomains.com then you'll be 
> able to use this cert for ANY subdomain of 
> palmettodomains.com without problem. If people look closely 
> at the cert, it will show *.palmettodomains.com, but it will 
> not generate browser errors for people connecting. There are 
> several institutions that have gone to certs like this to 
> avoid paying the verisign extortion fees etc.

Exactly!!!  Couldn't have said it better!  They must be paying off some
folks some big bucks to have their names on a list browers recognize without
causing the "Security Alert".

I'm not trying to be cheap but this is a crock!  128 bit is 128 bit!
Browsers should be able to recognize the encryption method, not the name.  I
mean, that's what its all about.

> 
> fnal.gov even has a tutorial of sorts incorporating simple 
> globbing into their ssl certs 
> (http://www.fnal.gov/docs/products/apache/SSLNotes.html).

I'll check it out.

Thanks!!


> 
> --
> Jim Perrin
> System Architect - UIT
> Ft Gordon & US Army Signal Center
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>