Remember Charles, this kludge of making my own CA and signing my own web
cert is in lieu of something probably worse for security, saying yes to
the red warning messages in Chrome and Firefox. So in either case we're
already open to a DNS spoof. The home-made cert is simply to make it
easier on the users without spending any money. And you can specify an
expiration far in the future.
But just so y'all know, I stopped doing this in 2021 and now spend $96 a
year at zerossl.com for web certs. For that I get three 1-year certs,
and an unlimited number of 90-day certs. Far cheaper than buying
individual certs via Godaddy, etc. Zerossl provides a pretty good set
of API calls so the updates can be done automatically on the typical web
server, but yeah, an HMC is not your typical web server so things would
probably have to be done manually there.
On 8/29/2023 6:31 AM, Charles Mills wrote:
Just being a security PITA here, but that solution makes the security of their
systems subject to whatever safeguards you do or do not put on yours.
If I can extract the CA private key from your PC than it is trivial for me to
create a www.chase.com certificate that will be trusted by their browsers
without any question, and mount a man-in-the-middle attack on their banking.
CM
On Mon, 28 Aug 2023 16:23:55 -0700, Tom Brennan <[email protected]>
wrote:
Does that work? In the past when I created a self-signed cert (for
Apache on Linux), adding it to the trusted certs didn't work (at least
in Chrome). I still got the evil warnings. I ended up creating my own
CA, used that to sign the web cert, and then copied the CA to the
trusted certs in Chrome. Then I gave out the CA to the folks I work
with who needed to access the web page, and they did the same. That was
easy and cheap for a small group of known users.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
