[CentOS] https and self signed
galtsev at kicp.uchicago.edu
Wed Jun 15 16:40:58 UTC 2016
On Wed, June 15, 2016 10:48 am, Warren Young wrote:
> On Jun 15, 2016, at 9:38 AM, Warren Young <wyml at etr-usa.com> wrote:
>> On Jun 15, 2016, at 9:02 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu>
>>> I do not see neither starttls.com nor letsencrypt.org between
>> Thatâs because they are not top-tier CAs.
> I forgot to mention that letsencrypt.com uses one of its own certificates.
> You can use your browserâs certificate detail view to see the chain of
> trust. I see two levels here: IdenTrust -> TrustID -> Letâs Encrypt.
Thanks, that means no need to install CA. There is always someone (Thanks,
Warren!) who looked deeper into things, and can explain them. The only
thing here is: I need to look deeper myself how the identity of the server
is ensured in this case (i.e. whether tier 2, tier 3, ... CAs really do
that. But that is more fundamental thing: basically with that in play, can
I still trust that the physical entity owning server cert is indeed who it
claims to be).
> As for starttls.com, that doesnât exist; youâre probably confusing it
> with the SMTP STARTTLS protocol extension. What you mean is startssl.com,
> which is the main public face of StartCom. StartCom is a top-tier CA.
I'm sure I did copy and paste, so that should have copied from OP e-mail...
Thanks again, Warren,
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
More information about the CentOS