Right. This is the confusion on what self-signed means. "Properly" (to be a pedant) self-signed means the certificate is at the head (or bottom, if you will) of the chain. It attests to its own validity; it signs itself; it is not signed by some other certificate -- self-signed does NOT mean that it is signed by you yourselves as opposed to some "known and trusted" authority.
There is no way you can become a "known and trusted authority" unless you want to go to the trouble of competing with Verisign and GoDaddy and become a known and trusted authority. OpenSSL (and other tools presumably) can create a self-signed certificate. They can create a chain of certificates signed by your in-house authority. But no tool can make you into Verisign or GoDaddy. No tool can make you known and trusted. Verisign and GoDaddy are known and trusted simply because they are known and trusted. There is nothing in the TLS protocol that makes them any different from your in-house authority, or for that matter, a private little root certificate that you create on your desktop. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Gord Tomlin Sent: Wednesday, June 22, 2016 7:17 AM To: [email protected] Subject: Re: z/OS OpenSSL, SelfSigned Certs, etc On 2016-06-22 10:01, Donald J. wrote (snipped): > With the recent > talk about negative aspects of using self signed certs, I attempted to > see if that OpenSSL could be used to generate a root certificate and a > user cert chained to that root cert. This appears to me to just build a "son of a self-signed certificate", since your root certificate will not be a known and trusted certificate. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
