is a self signed certificate always invalid the first time?

Michael Felt michael at felt.demon.nl
Fri Aug 18 10:45:14 EEST 2017



On 8/18/2017 9:12 AM, voytek at sbt.net.au wrote:
> On Fri, August 18, 2017 5:02 pm, Michael Felt wrote:
>> On 8/11/2017 1:29 PM, Ralph Seichter wrote:
>>>> And, Ralph, I salute you. I have never been able to be disciplined
>>>> enough to be my own CA.
>>> I encourage you to look into the subject again.
>>>
>> I actually have been, which is why I could give a near sensible reply.
>> Thanks for the encouragement!
>>
>>> With the advent of Let's
>>> Encrypt, free certs for the masses have become a thing, but if you need
>>> more than 3 months validity, want to create certs for Intranet-devices
>>> (routers, local servers), or just want maximum control over all certs,
>>> setting up your own CA is rewarding. While you're at it, no gentleman
>>> should not be without DNSSEC, DKIM and DANE these days. ;-)
>> I should know all three, but, sadly, only one: two things to add to my
>> list of things to research.
>
> I have been reading this with some interest (while trying to migrate
> Dovecot, Postfix etc..)
>
> BUT, for a public web server where https is becoming mandatory, I'd still
> need a certificate from a recognized publisher, to avoid users geting
> 'warnings', is that so ?
>
> (I'm currently using self issued for both mail and web)
Above - Ralph added:
> I also made my CA
> certs available for public download, so tech-savvy users can import the
> CA certs manually.
Depending on your site-popularity (aka number of "random" users) you 
could also instruct them how to access your signing key. Once they had 
that, they would auto-magically, recognize any other keys you signed 
with your CA "roots".

In other words, if the work to you to instruct users to use your CA is 
more expensive than using a commercial CA - save money and use a 
commercial CA. Before spending any money on a commercial CA - look at 
alternatives such as Let's Encrypt. I am also looking at 
http://www.cacert.org/ (That might be something for you Ralph!)

>
> thanks,
>
> V



More information about the dovecot mailing list