On Sat, Jul 7, 2012 at 2:27 PM,  <pro...@secure-mail.biz> wrote:
> Hello,
> is it possible to sign a foreign SSL public key without having CSR/private 
> key?
> Background:
> Because the public root CA's failed at least twice (DigiNotar, Comodo), I'd 
> like to pin a SSL certificate from a website I have no control over. 
> (Therefore I no access the the private key and can subsequently also not 
> create a CSR.) Pin the SSL cert by using a local self signed CA.
Don't forget MD5 signatures and the nuances of Flame (chosen collision
attack, Microsoft's profile, and lack of key usage enforcement). Also,
other infrastructure problems, such as DNS, are remediated.

You pin a certificate by whitelisting expected server certificates
(possibly thumbprints). There's usually no need to sign another's key
or certificate (I've never done it that way, and never seen it done
that way).

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to