[CentOS] self signing certificates

aurfalien at gmail.com aurfalien at gmail.com
Tue Aug 25 00:08:43 UTC 2009


I would go buy a cert.

They aren't much money and you can specify the granularity you want  
the cert to have, the more granularity, the higher the cost but they  
are not that much anyways.

Wether your site in internal or not is irrelevant as you should  
approach your LAN as a hostile place.

After all, 75% of breaches occur form within.  You can take that how  
ever you want but the days of a soft nougatine LAN are over.


On Aug 24, 2009, at 4:59 PM, James B. Byrne wrote:

>> From: Jerry Geis <geisj at pagestation.com>
>> To: CentOS ML <centos at centos.org>
>> Sent: Monday, 24 August, 2009 14:32:00
>> Subject: [CentOS] self signing certificates
>>
>> hi all,
>>
>> I have gone through the process of self signing certificates.
>> Aside from the pop-ups about not trusted etc... everything
>> appears to work.
>>
>> For "internal" applications what do people/places do?
>> It would be nice to be seamless and have the "your not trusted"
>> window pop-up.
>>
>
> As someone else previously detailed, you really need to have a root
> signing CA that only signs certs for your issuing CAs and then use
> the issuing CAs to sign end use certificates of whatever types you
> deem appropriate.  It is considered required practice that root CA
> and issuing CAs must be physically isolated from all network
> connections and that floppy or sneaker net must be used to handle
> incoming CSR and outgoing CERTS.  If you are simply using certs for
> encryption and not for authentication then this practice probably
> can be safely dispensed with.  If you ARE using certs for
> authentication then this provision is absolutely required.
>
> The arrangement of self-signed root CA <--CSR--- Issuing CA
> <--CSR--- end-user is now critical for Firefox users. Releases in
> the 3.x series will no longer trust any self-signed CA certificate.
> So, to avoid the warning box in Firefox you must have the end use
> certificates signed by an intermediate CA whose own certificate may
> however be signed by a self-signed root.
>
>> Yet this is not a public web site either. Just internal use.
>> The server might be on the internet but people from the internet
>> are not using it.
>>
>
> Well, the available software has no way of figuring that out for
> itself, so it makes no difference. And, to be precise, "people from
> the internet should not be using it", which is rather a different
> thing.
>
>> I presume there is no way to by-pass the certificate signing
>> process - even for internal apps.
>> Is there?
>>
>
> Not unless you can live with the warning boxes.
>
> -- 
> ***          E-Mail is NOT a SECURE channel          ***
> James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos




More information about the CentOS mailing list