On 8/18/2017 9:12 AM, voy...@sbt.net.au wrote:
On Fri, August 18, 2017 5:02 pm, Michael Felt wrote:
On 8/11/2017 1:29 PM, Ralph Seichter wrote:
And, Ralph, I salute you. I have never been able to be disciplined
enough to be my own CA.
I encourage you to look into the subject again.
I actually have been, which is why I could give a near sensible reply.
Thanks for the encouragement!
With the advent of Let's
Encrypt, free certs for the masses have become a thing, but if you need
more than 3 months validity, want to create certs for Intranet-devices
(routers, local servers), or just want maximum control over all certs,
setting up your own CA is rewarding. While you're at it, no gentleman
should not be without DNSSEC, DKIM and DANE these days. ;-)
I should know all three, but, sadly, only one: two things to add to my
list of things to research.
I have been reading this with some interest (while trying to migrate
Dovecot, Postfix etc..)
BUT, for a public web server where https is becoming mandatory, I'd still
need a certificate from a recognized publisher, to avoid users geting
'warnings', is that so ?
(I'm currently using self issued for both mail and web)
Above - Ralph added:
I also made my CA
certs available for public download, so tech-savvy users can import the
CA certs manually.
Depending on your site-popularity (aka number of "random" users) you
could also instruct them how to access your signing key. Once they had
that, they would auto-magically, recognize any other keys you signed
with your CA "roots".
In other words, if the work to you to instruct users to use your CA is
more expensive than using a commercial CA - save money and use a
commercial CA. Before spending any money on a commercial CA - look at
alternatives such as Let's Encrypt. I am also looking at
http://www.cacert.org/ (That might be something for you Ralph!)
thanks,
V
