[CentOS] https and self signed

Sat Jun 18 22:08:54 UTC 2016
James B. Byrne <byrnejb at harte-lyne.ca>

On Fri, June 17, 2016 11:06, Walter H. wrote:
> On 17.06.2016 16:46, James B. Byrne wrote:
>> On Thu, June 16, 2016 13:53, Walter H. wrote:
>>> On 15.06.2016 16:17, Warren Young wrote:
>>>>   but it also affects the other public CAs: you can’t get a
>>>> publicly-trusted cert for a machine without a publicly-recognized
>>>> and -visible domain name.  For that, you still need to use
>>>> self-signed certs or certs signed by a private CA.
>>>>
>>> A private CA is the same as self signed;
>>>
>> No it is not.  A private CA is as trustworthy as the organisation
>> that
>> operates it.  No more and not one bit less.
>>
>> We operate a private CA for our domain and have since 2005.  We
>> maintain a public CRL strictly in accordance with our CPS and have
>> our
>> own OID assigned.
> for your understanding: every root CA certificate is self signed;
> any SSL certificate that was signed by a CA not delivered as built-in
> token in a browser is the same as self-signed;
>
>
>

For your understanding, a self-signed certificate is one that has been
signed by itself.  Naturally ALL root certificates are self-signed. 
The self-signed root cert is then used to sign a subordinate CA
issuing cert and that issuing cert is used to sign other subordinate
CAs and / or end-user certs depending upon the permissions given it by
the original signing certificate.  This establishes the certificate
trust chain.

If website presents an actual self-signed cert to Firefox for example,
it will refuse it.  I suppose there is a way to circumvent this
behaviour but I am not aware of it. If you present a certificate that
is not self-signed but is signed by an authority whose root
certificate chain is not in the trusted root store then Firefox gives
you a warning -- as given in a preceding message
'net::ERR_CERT_AUTHORITY_INVALID' --
but it none-the-less allows you to accept the certificate as an
exception and proceed to the website.

If you do not want to get warnings and you trust the issuer then you
can add their issuing CA cert chain to your trusted root certificate
store.

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3