[EMAIL PROTECTED] wrote:
So at the company I work for, most of the internal systems have expired SSL certs, or self-signed certs. Obviously this is bad.
Sorta. TLS gets along with self signed just fine though, and obviously you can choose to accept a root or unsigned cert on a per-client basis.
I know that if we had IT put our root cert in the browsers, that we could then generate our own SSL certs.
sure. for IE its just a registry key, trivial to push out using login scripts etc.
Are there any options that don't involve adding a new root CA?
buying a intermediate cert from an existing CA? buying a "wildcard" cert for your domain, and using the same wildcard cert on all nodes?
I would think this would be rather common, and I may have heard about certs that had authority to sign other certs in some circumstances...
at one point, you could use *any* cert to sign another cert; IE didn't bother checking. I believe they have fixed that now.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
