Re: is a self signed certificate always invalid the first time?

Fri, 18 Aug 2017 00:03:49 -0700 


On 8/11/2017 1:29 PM, Ralph Seichter wrote:

On 11.08.2017 11:36, Michael Felt wrote:


This is what Ralph means when he says "have been running a CA for
15+ years" - not that he is (though he could!) sell certificates
commercially - rather, he is using an initial certificate to sign
later certificates with.

Actually, I do sell certificates to my customers. :-) In small numbers,
and only for servers to which I have administrative access.

So, not really "selling", but an additional service.

I created a
root CA and two intermediate CAs (one each for client and server certs,
respectively).

It would be great to have my CAs added to Mozilla's NSS root certificate
store, but alas, the effort to get there is massive. Where possible, I
will add my CA certs to the customers' keystores. I also made my CA
certs available for public download, so tech-savvy users can import the
CA certs manually.


Again, technically, there is no difference in a self-signed 2048-bit RSA
key, and one signed by a "major" CA. However, in the "ease of use" there
may be major differences.

In 2015 I rolled out an updated CA which I have used ever since, with
4096 bit keys for root and intermediary CA certs. I also only generate
4096 bit keys for servers these days, so my cert chain is "stronger"
than those of some commercial CAs. Also, it is good to know that these
certs have never been touched by anybody but myself. I even install my
own CA cert chain on my iOS devices.


And, Ralph, I salute you. I have never been able to be disciplined
enough to be my own CA.

I encourage you to look into the subject again.

I actually have been, which is why I could give a near sensible reply. 
Thanks for the encouragement!

With the advent of Let's
Encrypt, free certs for the masses have become a thing, but if you need
more than 3 months validity, want to create certs for Intranet-devices
(routers, local servers), or just want maximum control over all certs,
setting up your own CA is rewarding. While you're at it, no gentleman
should not be without DNSSEC, DKIM and DANE these days. ;-)

I should know all three, but, sadly, only one: two things to add to my 
list of things to research.

-Ralph

























					Reply via email to