[CentOS] https and self signed

Wed Jun 15 16:40:58 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Wed, June 15, 2016 10:48 am, Warren Young wrote:
> On Jun 15, 2016, at 9:38 AM, Warren Young <wyml at etr-usa.com> wrote:
>> On Jun 15, 2016, at 9:02 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu>
>> wrote:
>>> I do not see neither starttls.com nor letsencrypt.org between
>>> Authorities
>>> certificates.
>> That’s because they are not top-tier CAs.
> I forgot to mention that letsencrypt.com uses one of its own certificates.
>  You can use your browser’s certificate detail view to see the chain of
> trust.  I see two levels here: IdenTrust -> TrustID -> Let’s Encrypt.

Thanks, that means no need to install CA. There is always someone (Thanks,
Warren!) who looked deeper into things, and can explain them. The only
thing here is: I need to look deeper myself how the identity of the server
is ensured in this case (i.e. whether tier 2, tier 3, ... CAs really do
that. But that is more fundamental thing: basically with that in play, can
I still trust that the physical entity owning server cert is indeed who it
claims to be).

> As for starttls.com, that doesn’t exist; you’re probably confusing it
> with the SMTP STARTTLS protocol extension.  What you mean is startssl.com,
> which is the main public face of StartCom.  StartCom is a top-tier CA.

I'm sure I did copy and paste, so that should have copied from OP e-mail...

Thanks again, Warren,

Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247