On Jun 15, 2016, at 8:02 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > I do not see neither starttls.com <http://starttls.com/> nor letsencrypt.org <http://letsencrypt.org/> between Authorities > certificates. This means (correct me if I'm wrong) that client has to > import one of these Certification Authorities certificates, otherwise > server certificate signed by one of these authorities is on the same page > with my private Certification Authority (which I used to run for over 10 > years, then in my kickstart I had my CA certificate imported into CA of > clients - but other clients, like laptops had to download, install and > trus my CA certificate). Of course, this is a notch better than > "self-signed" server certificates, as you only need to import CA > certificate once, whereas you will need to import self-signed server > certificates for each of the servers... For my personal needs I use free StartSSL certs and the authority appears as StartCom, Ltd. in Firefox. In my experience it is already a trusted authority in most/all browsers. At least I didn’t have to manually trust it, and I haven’t run into one that complains about it.