On Wed, June 15, 2016 9:17 am, Warren Young wrote: > On Jun 15, 2016, at 7:57 AM, ÐлекÑандр Кириллов > <nevis2us at infoline.su> wrote: >> >> Nowadays it's quite easy to get normal ssl certificates for free. E.g. >> >> http://www.startssl.com >> http://buy.wosign.com/free > > Today, I would prefer Let’s Encrypt: > > https://letsencrypt.org/ > > It is philosophically aligned with the open source software world, rather > than act as bait for a company that would prefer to sell you a cert > instead. I have got question for experts. I just opened settings of Firefox (latest, on FreeBSD), and took a look at the list of Certification Authorities it comes with. I do see WoSign there (though I'd prefer to avoid my US located servers have certificates signed by authority located in China, hence located sort of behind "the great firewall of China" - call me superstitious). I do not see neither starttls.com nor letsencrypt.org between Authorities certificates. This means (correct me if I'm wrong) that client has to import one of these Certification Authorities certificates, otherwise server certificate signed by one of these authorities is on the same page with my private Certification Authority (which I used to run for over 10 years, then in my kickstart I had my CA certificate imported into CA of clients - but other clients, like laptops had to download, install and trus my CA certificate). Of course, this is a notch better than "self-signed" server certificates, as you only need to import CA certificate once, whereas you will need to import self-signed server certificates for each of the servers... Am I missing something? Also: with CA signing server certificate there is a part that is "verification of identity" of domain or server owner. Namely, that whoever requested certificate indeed exists as physical entity (person, organization or company) accessible at some physical address etc. This is costly process, and as I remember, free automatically signed certificates were only available from Certification Authority whose CA certificated had no chance to be included into CA bundles shipped with browsers, systems etc. For that exact reason: there is "no identity verification". The last apparently is costly process. So, someone, please, set all of us straight: what is the state of the art today? Disclaimer: I have purely academic interest in this myself: my institution makes CA signed certificated for my servers at no cost for me, and that authority is in the CA Cert bundles. Valeri > > I’m only aware of one case where you absolutely cannot use Let’s > Encrypt, but it also affects the other public CAs: you can’t get a > publicly-trusted cert for a machine without a publicly-recognized and > -visible domain name. For that, you still need to use self-signed certs > or certs signed by a private CA. ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++