I have looked at let's encrypt. Key issue for me is having to add a lot python stuff that would otherwise not be on any server.

Again, All CA's like "Let's Encrypt" - and others that are accepted by the "majors", e.g., Windows, Mozilla make it much easier for the "random" user to use anything you protect with SSL (better TLS) without them having to grant "trust" manually. That "trust" is indicated because the CA that signed your certificate is recognized by a CA, that is recognized by CA, that is recognized by a CA in the "root-trust" list that the "majors" make available (e.g., the mozilla list available via the curl site (https://curl.haxx.se/docs/caextract.html)).


Now - back to Ralph's comment:


On 8/10/2017 1:42 PM, Ralph Seichter wrote:
I have been running a CA for 15+ years, generating certificates only for
servers I personally maintain. Since my business is too small to be able
to afford all the steps required to have my CA trusted by Mozilla, Apple
etc., this approach leaves me with the same problem self-signed certs
have: How can I make third party applications like web browsers or MUAs
trust the certs I created?
Rather than make the mistake I did years ago by make "unique" self-signed certificates for different servers - start out with a self-signed certificate that you use as a signing certificate. This is what Ralph means when he says "have been running a CA for 15+ years" - not that he is (though he could!) sell certificates commercially - rather, he is using an initial certificate to sign later certificates with. So, his "users" only need to add the public side of his signing certificate - and any certificate he has signed meets the "chain of trust".

So, if your users are "random", i.e., can come from anywhere - you may want a "major accepted/recognized" certificate authority so that you do not have to distribute your signing key. However, if your user pool is "select", or otherwise known - requiring them to use your "self-signed" CA may be a positive, rather than a negative.

Again, technically, there is no difference in a self-signed 2048-bit RSA key, and one signed by a "major" CA. However, in the "ease of use" there may be major differences.

And, Ralph, I salute you. I have never been able to be disciplined enough to be my own CA. :)

Reply via email to