Re: Self-signed SSL cert vs. CA on same server

From: Chris de Vidal (cdevidal_at_yahoo.com)
Date: 11/25/03

  • Next message: Chris de Vidal: "Re: Self-signed SSL cert vs. CA on same server"
    Date: Tue, 25 Nov 2003 13:31:34 -0800 (PST)
    To: shihminlu@yahoo.com
    
    

    --- sherwin Lu <shihminlu@yahoo.com> wrote:
    > Normally, your browers already has a set of CA
    > certificates that your vendor deems trustworthy. You
    > must add your own CA's certificate to all PCs manually
    > to protect against the man-in-the-middle-attack.
    > Otherwise, having a CA or your server signing its own
    > certificate is no different.

    Since writing this email, I've created my CA on the same server and used Active
    Directory to automatically trust the CA (and thus any certificates it creates).
     Since the trust has already been established, I believe we are now secure.

    > This is a very simplified explanation of CAs. If you
    > choose to implemenat a CA, please do NOT put the CA on
    > the same machine as you apache server. That's the
    > most insecure thing you can do.

    Other than ensuring the browser trusts the CA (done), what other risks are
    there that I should be aware of? It's not too late to move the CA if I am made
    aware of something else.

    =====
    /dev/idal
    "GNU/Linux is free freedom" --Me

    __________________________________
    Do you Yahoo!?
    Free Pop-Up Blocker - Get it now
    http://companion.yahoo.com/
    ------------------------------------------------------------------------
         To unsubscribe email security-discuss-request@linuxsecurity.com
             with "unsubscribe" in the subject of the message.


  • Next message: Chris de Vidal: "Re: Self-signed SSL cert vs. CA on same server"