[CentOS] https and self signed

Wed Jun 15 15:02:57 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Wed, June 15, 2016 9:17 am, Warren Young wrote:
> On Jun 15, 2016, at 7:57 AM, Александр Кириллов
> <nevis2us at infoline.su> wrote:
>> Nowadays it's quite easy to get normal ssl certificates for free. E.g.
>> http://www.startssl.com
>> http://buy.wosign.com/free
> Today, I would prefer Let’s Encrypt:
>   https://letsencrypt.org/
> It is philosophically aligned with the open source software world, rather
> than act as bait for a company that would prefer to sell you a cert
> instead.

I have got question for experts. I just opened settings of Firefox
(latest, on FreeBSD), and took a look at the list of Certification
Authorities it comes with.

I do see WoSign there (though I'd prefer to avoid my US located servers
have certificates signed by authority located in China, hence located sort
of behind "the great firewall of China" - call me superstitious).

I do not see neither starttls.com nor letsencrypt.org between Authorities
certificates. This means (correct me if I'm wrong) that client has to
import one of these Certification Authorities certificates, otherwise
server certificate signed by one of these authorities is on the same page
with my private Certification Authority (which I used to run for over 10
years, then in my kickstart I had my CA certificate imported into CA of
clients - but other clients, like laptops had to download, install and
trus my CA certificate). Of course, this is a notch better than
"self-signed" server certificates, as you only need to import CA
certificate once, whereas you will need to import self-signed server
certificates for each of the servers...

Am I missing something?

Also: with CA signing server certificate there is a part that is
"verification of identity" of domain or server owner. Namely, that whoever
requested certificate indeed exists as physical entity (person,
organization or company) accessible at some physical address etc. This is
costly process, and as I remember, free automatically signed certificates
were only available from Certification Authority whose CA certificated had
no chance to be included into CA bundles shipped with browsers, systems
etc. For that exact reason: there is "no identity verification". The last
apparently is costly process.

So, someone, please, set all of us straight: what is the state of the art

Disclaimer: I have purely academic interest in this myself: my institution
makes CA signed certificated for my servers at no cost for me, and that
authority is in the CA Cert bundles.


> I’m only aware of one case where you absolutely cannot use Let’s
> Encrypt, but it also affects the other public CAs: you can’t get a
> publicly-trusted cert for a machine without a publicly-recognized and
> -visible domain name.  For that, you still need to use self-signed certs
> or certs signed by a private CA.

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247