<noloa...@gmail.com> wrote: > You pin a certificate by whitelisting expected server certificates > (possibly thumbprints).
How to do that? > There's usually no need to sign another's key > or certificate (I've never done it that way, and never seen it done > that way). A little more background... Stories like the diginotar compromise [1] may happen again, anytime. I am developing an anonymous operating system [2]. We use wget to download Tor Browser from torproject.org and to access check.torproject.org. (Not available over secure apt.) Wget does offer ca pinning, but does not support certificate pinning [3]. So my original question was how do I get wget to verify the torproject.org fingerprint [4] without depending on root CA's? The only possible solution I saw was downloading the torproject.org SSL public key, run a local CA, sign the certificate and run wget with the --ca-certificate switch. That's why I posted the question "Sign public key without having CSR or private key?" here. If there are any suggestions for this situation I am all ears. [1] https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it [2] https://trac.torproject.org/projects/tor/wiki/doc/TorBOX/ [3] https://lists.gnu.org/archive/html/bug-wget/2012-07/msg00008.html [4] https://www.torproject.org/docs/faq.html.en#SSLcertfingerprint ______________________________________________________ powered by Secure-Mail.biz - anonymous and secure e-mail accounts. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org