You are still trusting a public CA to not issue another certificate for that
server to a malicious third party.
I'm not sure I'm following. How can public CA generate certificate for
my server to someone, who doesn't have access to my server? That would
totally break the SSL/HTTPS as it is used now. If anyone could generated
certificate to any domain, what would be the point of using certificate
to validate identity of servers? I have don't really know that much
about this stuff, but this was one thing I thought I knew.
Also only other issue than to use public CA I know is to use self-signed
CA. And if I use self-signed, no one is obligated to trust it. As anyone
can create self-signed certificates.
My goal is to have the VPN available for occasional friend, so we can
play some games on LAN. By using the LE certificate, he does not have to
do anything apart from fill in the username/password. The LE
certificates are trusted by Windows, so there is no fiddling with that.
On 10. 2. 2017 14:59, Noel Kuntze wrote:
On 10.02.2017 12:17, Jose Novacho wrote:
It seems we are talking about two different things.
I know that and it is deliberate. The things I describe are issues that will,
albeit at some arbitrary point in the future,
be encountered by you, if you do not fix them now.
I have used the LetsEncrypt certificate to authenticate the server itself.
Peers are using username and password using EAP, that's not an issue.
You are still trusting a public CA to not issue another certificate for that
server to a malicious third party.
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
