[CentOS] https and self signed

Thu Jun 16 18:46:53 UTC 2016
m.roth at 5-cent.us <m.roth at 5-cent.us>

Valeri Galtsev wrote:
>
> On Thu, June 16, 2016 1:09 pm, Gordon Messmer wrote:
>> On 06/16/2016 10:53 AM, Walter H. wrote:
>>> lets encrypt only trusts for 3 months; would you really except in an
>>> onlineshop, someone trusts this shop?
>>> let us think something like this: "when the CA only trusts for 3
>>> months, how should I trust for a longer period
>>> which is important for warranty ..."
>>
>> I doubt that most users check the dates on SSL certificates, unless they
>> are familiar enough with TLS to understand that a shorter validity
>> period is better for security.
>
> Oh, this is what he meant: Cert validity period. Though I agree with you
> in general (shorter period public key is exposed smaller chance secret key
> brute-force discovered), logistically as the one who has to handle quite a
> few certificates, I only will go with certificates valid for a year, or
> better 2 years. Given a bandwidths and ciphers these certificates still
> can provide necessary security (I exclude here such things like server
> system compromises which have nothing to do with the time the server
> exists or certificate lives on the server - do I miss something?).

There is also what use is being made of it. For internal dev websites, for
example, not available to the outside world, I create self-signed for one
length of time... ten years. By that time, the project, if it's still
around, will have gone other ways.

      mark