[117366] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: delegating SSL certificates

daemon@ATHENA.MIT.EDU (Dave Howe)
Sat Mar 15 22:55:06 2008

Date: Sat, 15 Mar 2008 22:41:15 +0000
From: Dave Howe <DaveHowe@gmx.co.uk>
To: "Email List - Cryptography" <cryptography@metzdowd.com>
In-Reply-To: <20080225220143.GC8561@subspacefield.org>

travis+ml-cryptography@subspacefield.org wrote:
> So at the company I work for, most of the internal systems have
> expired SSL certs, or self-signed certs.  Obviously this is bad.

Sorta. TLS gets along with self signed just fine though, and obviously 
you can choose to accept a root or unsigned cert on a per-client basis.

> I know that if we had IT put our root cert in the browsers, that we
> could then generate our own SSL certs.

sure. for IE its just a registry key, trivial to push out using login 
scripts etc.

> Are there any options that don't involve adding a new root CA?

buying a intermediate cert from an existing CA? buying a "wildcard" cert 
  for your domain, and using the same wildcard cert on all nodes?

> I would think this would be rather common, and I may have heard about
> certs that had authority to sign other certs in some circumstances...

at one point, you could use *any* cert to sign another cert; IE didn't 
bother checking. I believe they have fixed that now.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post