[CentOS] https and self signed

Wed Jun 15 16:47:25 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Wed, June 15, 2016 10:38 am, Warren Young wrote:
> On Jun 15, 2016, at 9:02 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu>
> wrote:
>>
>> I do see WoSign there (though I'd prefer to avoid my US located servers
>> have certificates signed by authority located in China, hence located
>> sort
>> of behind "the great firewall of China" - call me superstitious).
>
> That’s a perfectly valid concern.  The last I heard, modern browsers
> trust 1,100 CAs!  Surely some of those CAs have interests that do not
> align with my interests.
>
>> I do not see neither starttls.com nor letsencrypt.org between
>> Authorities
>> certificates.
>
> That’s because they are not top-tier CAs.
>
>> This means (correct me if I'm wrong) that client has to
>> import one of these Certification Authorities certificates
>
> You must be unaware of certificate chaining:
>
>   https://en.wikipedia.org/wiki/Intermediate_certificate_authorities

Sorry, intermediate authorities just slept off my mind somehow (to say
worst: my server certificated _are_ signed by intermediate CA - shame on
me ;-)

Valeri


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++