David Woolley <[EMAIL PROTECTED]>: > Self signing the server certificate is not very sensible, but that > would be the one to install if it is self signed. A more sensible > approach would be for them to create a self signed (i.e. root > certificate) for the whole organisation, and use that to sign the > server certificates.
this is definitely good advice. i wonder why they didn't bother. could the original poster "walk down the hall" to where the servers are situated and propose this more clean solution? it is not in any way [much] more complicated than making a single, self-signed cert in the first place, but everybody using these certs would benefit, more so in case false certificates are introduced. suddenly, the browsers warning before using self-signed certificates would start to make sense, and it would be the users own responsibility to deny them, and he would do the right thing, even! btw: does somebody have a good URL for making and using local CA certificates? it would have to feature relevant sections of a modified openssl.cnf to make sense, because entries in this configuration file don't have to be specified over and over again in interactive use of the openssl(1) utility. beware that this file may have other names, too, ie. this name isn't hardcoded. clemens ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to [EMAIL PROTECTED]
