On Thu, Nov 20, 2003 at 10:05:39AM +0100, Andreas Aardal Hanssen wrote: > If the server only provides a self-signed cert, then the client will have > no CA to look it up with, and so the identity of the server can not be > verified. The communication is still encrypted, but it is vulnerable to > interception, forging, replay etc.. > > So the three options are: > > 1 - Provide plain text authentication > 2 - Provide SSL encryption with a self-signed certificate > 3 - Provide SSL encryption with a third-party signed certificate
4 - DIY CA, it's actually not all that hard to set one up with openssl. Make a CA, a CA key and a CA cert, and then you can start making certs for both servers and clients. Install the CA cert (but not the key!) on all clients and it'll work just like the commercial ones. Something a little tricker is the LDAP server that serves the CRL (Cert Revocation List) which should also be set up, as it's the only way for you to stop the use of a server certificate that has been compromised. Oh well. Just a thought. :) //Peter
