On 17.06.2016 16:46, James B. Byrne wrote: > On Thu, June 16, 2016 13:53, Walter H. wrote: >> On 15.06.2016 16:17, Warren Young wrote: >>> but it also affects the other public CAs: you can’t get a >>> publicly-trusted cert for a machine without a publicly-recognized >>> and -visible domain name. For that, you still need to use >>> self-signed certs or certs signed by a private CA. >>> >> A private CA is the same as self signed; >> > No it is not. A private CA is as trustworthy as the organisation that > operates it. No more and not one bit less. > > We operate a private CA for our domain and have since 2005. We > maintain a public CRL strictly in accordance with our CPS and have our > own OID assigned. for your understanding: every root CA certificate is self signed; any SSL certificate that was signed by a CA not delivered as built-in token in a browser is the same as self-signed;