So at the company I work for, most of the internal systems have
expired SSL certs, or self-signed certs.  Obviously this is bad.

Sorta. TLS gets along with self signed just fine though, and obviously you can choose to accept a root or unsigned cert on a per-client basis.

I know that if we had IT put our root cert in the browsers, that we
could then generate our own SSL certs.

sure. for IE its just a registry key, trivial to push out using login scripts etc.

Are there any options that don't involve adding a new root CA?

buying a intermediate cert from an existing CA? buying a "wildcard" cert for your domain, and using the same wildcard cert on all nodes?

I would think this would be rather common, and I may have heard about
certs that had authority to sign other certs in some circumstances...

at one point, you could use *any* cert to sign another cert; IE didn't bother checking. I believe they have fixed that now.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to