is a self signed certificate always invalid the first time?

Michael Felt michael at felt.demon.nl
Fri Aug 18 10:02:54 EEST 2017



On 8/11/2017 1:29 PM, Ralph Seichter wrote:
> On 11.08.2017 11:36, Michael Felt wrote:
>
>> This is what Ralph means when he says "have been running a CA for
>> 15+ years" - not that he is (though he could!) sell certificates
>> commercially - rather, he is using an initial certificate to sign
>> later certificates with.
> Actually, I do sell certificates to my customers. :-) In small numbers,
> and only for servers to which I have administrative access.
So, not really "selling", but an additional service.
> I created a
> root CA and two intermediate CAs (one each for client and server certs,
> respectively).
>
> It would be great to have my CAs added to Mozilla's NSS root certificate
> store, but alas, the effort to get there is massive. Where possible, I
> will add my CA certs to the customers' keystores. I also made my CA
> certs available for public download, so tech-savvy users can import the
> CA certs manually.
>
>> Again, technically, there is no difference in a self-signed 2048-bit RSA
>> key, and one signed by a "major" CA. However, in the "ease of use" there
>> may be major differences.
> In 2015 I rolled out an updated CA which I have used ever since, with
> 4096 bit keys for root and intermediary CA certs. I also only generate
> 4096 bit keys for servers these days, so my cert chain is "stronger"
> than those of some commercial CAs. Also, it is good to know that these
> certs have never been touched by anybody but myself. I even install my
> own CA cert chain on my iOS devices.
>
>> And, Ralph, I salute you. I have never been able to be disciplined
>> enough to be my own CA.
> I encourage you to look into the subject again.
I actually have been, which is why I could give a near sensible reply. 
Thanks for the encouragement!
> With the advent of Let's
> Encrypt, free certs for the masses have become a thing, but if you need
> more than 3 months validity, want to create certs for Intranet-devices
> (routers, local servers), or just want maximum control over all certs,
> setting up your own CA is rewarding. While you're at it, no gentleman
> should not be without DNSSEC, DKIM and DANE these days. ;-)
I should know all three, but, sadly, only one: two things to add to my 
list of things to research.
> -Ralph



More information about the dovecot mailing list