cert for each one, are somehow "less stable" to
> do business with because of their cost-cutting attempts. But, that is a
> different argument.
>
>
>
> -Original Message-
> From: owner-openssl-us...@openssl.org on behalf of Jeffrey Walton
> Sent: Wed 6/9/2010 11:24
ssl-us...@openssl.org on behalf of Jeffrey Walton
Sent: Wed 6/9/2010 11:24 AM
To: openssl-users@openssl.org
Subject: RE: self-signed SSL certificates and trusted root certificate
Hi Patrick,
> well, off-loading ssl to dedicated host(s) infront of the application servers
> is hopefully the standar
So security-wise, I still can't see the major drawbacks you were
>> talking about
Apparently we have different security postures.
Jeff
[1] http://www.wired.com/threatlevel/2010/03/wiseguys-indicted/
================
RE: self-signed SSL certificates
Hi Jeff,
> -Original Message-
> From: Jeffrey Walton
>
> > As long as the bad guy doesn't compromise your private key, he
> > won't be able to impersonate any of your hosts, wildcard
> > cert or not.
>
> What happens in the case of a web farm behind a proxy or load
> balancer, where the fo
Hi Patrick,
> As long as the bad guy doesn't compromise your private key, he
> won't be able to impersonate any of your hosts, wildcard cert or not.
What happens in the case of a web farm behind a proxy or load
balancer, where the forward facing host does SSL (perhaps through an
accelerator)?
Jef
Hi Jeff,
thanks for responding, but see my comments below.
> -Original Message-
> From: Jeffrey Walton
>
> Hi Patrick,
>
> >> can you please elaborate on where you see a security drawback
> >> in the attack scenario you mentioned when using wildcard
> >> certs over non-wildcard certs?
> P
Hi Patrick,
>> can you please elaborate on where you see a security drawback
>> in the attack scenario you mentioned when using wildcard
>> certs over non-wildcard certs?
Principle of leat privilege dictates that only a single server (or
possibly related servers) be "authenticated". However, a wil
> -Original Message-
> From: Eisenacher, Patrick
>
> Hi Jeff,
>
> > -Original Message-
> > From: Jeffrey Walton
> >
> > Hi Vieri,
> >
> > >> How does one issue a cert for multiple CN?
> > >> Suppose I have just one HTTP server but it can be accessed
> > >> via multiple FQDN... I sup
> From: owner-openssl-us...@openssl.org On Behalf Of Vieri
> Sent: Thursday, 03 June, 2010 06:42
> To: openssl-users@openssl.org
> Subject: RE: self-signed SSL certificates and trusted root certificate
> > > How does one issue a cert for multiple CN?
> > Subj
> From: owner-openssl-us...@openssl.org On Behalf Of Jeffrey Walton
> Sent: Wednesday, 02 June, 2010 03:48
> > Amazingly IE7 on testing likes even CA:false, which is crazy.
> What store did the cert get put in? Was it the Trusted Root
> Certification Authorities? If you let Windows automatically s
--- On Wed, 6/2/10, Eisenacher, Patrick wrote:
> > -Original Message-
> > From: Vieri
> >
> > --- On Tue, 6/1/10, Dave Thompson wrote:
> >
> > > CN doesn't need to be hostname or domainname for
> a CA
> > > cert.
> > > Technically not required on entity cert either,
> but on WWW
> > > m
Hi Jeff,
> -Original Message-
> From: Jeffrey Walton
>
> Hi Vieri,
>
> >> How does one issue a cert for multiple CN?
> >> Suppose I have just one HTTP server but it can be accessed
> >> via multiple FQDN... I suppose I need to use subjectAltName?
> >
> > Subject alternative name is one pos
Hi Vieri,
>> How does one issue a cert for multiple CN?
>> Suppose I have just one HTTP server but it can be accessed
>> via multiple FQDN... I suppose I need to use subjectAltName?
>
> Subject alternative name is one possibility. If you need a cert for
> several hosts/hostnames belonging to the s
> -Original Message-
> From: Vieri
>
> --- On Tue, 6/1/10, Dave Thompson wrote:
>
> > CN doesn't need to be hostname or domainname for a CA
> > cert.
> > Technically not required on entity cert either, but on WWW
> > most parties do want/like entity's CN to be domainname.
>
> How does one i
--- On Tue, 6/1/10, Dave Thompson wrote:
> CN doesn't need to be hostname or domainname for a CA
> cert.
> Technically not required on entity cert either, but on WWW
> most parties do want/like entity's CN to be domainname.
How does one issue a cert for multiple CN?
Suppose I have just one HTT
Hi Dave,
> Amazingly IE7 on testing likes even CA:false, which is crazy.
What store did the cert get put in? Was it the Trusted Root
Certification Authorities? If you let Windows automatically select the
store, it most likely went in Personal.
Jeff
On Tue, Jun 1, 2010 at 9:17 PM, Dave Thompson
--- On Tue, 6/1/10, Dave Thompson wrote:
> I think I found it, and it's an extension in the CA cert.
> two-step with standard
> config
> used [usr_cert] extensions which has
> basicConstraints=CA:false.
Right, I was wondering if that could be it...
> The standard config file has a [v3_ca] s
> From: owner-openssl-us...@openssl.org On Behalf Of Vieri
> Sent: Tuesday, 01 June, 2010 10:25
> --- On Fri, 5/28/10, Dave Thompson wrote:
> > Are your clients only browsers (IE? FF?) or apps?
>
> I was testing with IE6 but am now trying out FF 3.5.9. I when
> to the advanced config options
--- On Fri, 5/28/10, Dave Thompson wrote:
> FYI: 'self-sign' in PKI means a *cert* that is signed by
> its own key,
> normally only a CA 'root' cert.
Thank you for clarifying.
> Right. They are, and you want to be, another CA.
Exactly.
> > So I published MY-CA/cacert.der as shown below.
>
> From: owner-openssl-us...@openssl.org On Behalf Of Vieri
> Sent: Friday, 28 May, 2010 03:08
> I'm trying to self-sign SSL certificates for corporate web
> servers. It seems to work fine except for installing the
> the CA certificate into the client's "trusted root certificate store".
>
FYI: 's
20 matches
Mail list logo
