[117366] in cryptography@c2.net mail archive
Re: delegating SSL certificates
daemon@ATHENA.MIT.EDU (Dave Howe)
Sat Mar 15 22:55:06 2008
Date: Sat, 15 Mar 2008 22:41:15 +0000
From: Dave Howe <DaveHowe@gmx.co.uk>
To: "Email List - Cryptography" <cryptography@metzdowd.com>
In-Reply-To: <20080225220143.GC8561@subspacefield.org>
travis+ml-cryptography@subspacefield.org wrote:
> So at the company I work for, most of the internal systems have
> expired SSL certs, or self-signed certs. Obviously this is bad.
Sorta. TLS gets along with self signed just fine though, and obviously
you can choose to accept a root or unsigned cert on a per-client basis.
> I know that if we had IT put our root cert in the browsers, that we
> could then generate our own SSL certs.
sure. for IE its just a registry key, trivial to push out using login
scripts etc.
> Are there any options that don't involve adding a new root CA?
buying a intermediate cert from an existing CA? buying a "wildcard" cert
for your domain, and using the same wildcard cert on all nodes?
> I would think this would be rather common, and I may have heard about
> certs that had authority to sign other certs in some circumstances...
at one point, you could use *any* cert to sign another cert; IE didn't
bother checking. I believe they have fixed that now.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com