Joel wrote: >Had another newbie type question -- > > >When reading about how to set up a self-signed web server, the docs I >read indicate there is a need for two certificates -- one being a >self-signed certificate for the entity certifying the server, and the >other being the certificate the web server gives out (certified by the >self-signed certificate). > >Reading the RFCs and the docs, it seems like CAs would similarly have >the certificate(s?) they operate under and the certificate they give out. >And it looks like a root CA does not give out its self-signed >certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea. >The paragraph I'm reading now about pathLenConstraint makes it look like >the root CA does give out his self-signed certificate when he gives one >out -- talking about the count of non-self-signed certificates.) > >Does setting up a root CA require generating a self-signed certificate, >and then generating an operating certificate signed under the >self-signed certificate, or am I thinking too hard and as confused as >usual? > > I think it may be possible to use a self-signed (or root) certificate for a web server but it does not make much sense. If you want to build up a CA (for Inhouse use in a company for example) you should use the CA's key ONLY to sign certificates. If you just want to play around with SSL it's better to simulate the usual approach, especially since this only costs you the call of another script. Using a self-signed CA in an Internet-environment is almost senseless since this leaves you open to man-in-the-middle attacks. And most people who can listen to the wire can also redirect requests.
Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
