On Sat, Jul 7, 2012 at 2:27 PM, <pro...@secure-mail.biz> wrote: > Hello, > > is it possible to sign a foreign SSL public key without having CSR/private > key? > > Background: > Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd > like to pin a SSL certificate from a website I have no control over. > (Therefore I no access the the private key and can subsequently also not > create a CSR.) Pin the SSL cert by using a local self signed CA. > Don't forget MD5 signatures and the nuances of Flame (chosen collision attack, Microsoft's profile, and lack of key usage enforcement). Also, other infrastructure problems, such as DNS, are remediated.
You pin a certificate by whitelisting expected server certificates (possibly thumbprints). There's usually no need to sign another's key or certificate (I've never done it that way, and never seen it done that way). Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
