is a self signed certificate always invalid the first time?

Ralph Seichter m16+dovecot at monksofcool.net
Fri Aug 18 13:15:52 EEST 2017


On 18.08.2017 09:12, voytek at sbt.net.au wrote:

> for a public web server where https is becoming mandatory, I'd still
> need a certificate from a recognized publisher, to avoid users geting
> 'warnings', is that so ?

For a certificate to be reported as "valid", an unbroken chain of
cryptographic signatures is required. Browsers are released with a set
of Root CA and Intermediate CA certificates, as are operating systems.
Some use the Mozilla CA Certificate Store[1], for example, others come
with their own CA stores, like macOS[2].

[1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
[2] https://support.apple.com/en-us/HT202858

Unless your web server certificate's signature chain originates from one
of the CAs delivered with a web browser or OS, the end user connecting
to your site will either have to manually add the required CAs, or add
your server certificate, or be presented with a warning/error message.

One could argue that relying on certificate stores is placing personal
security concerns in other people's hands. Of course, it would be a
potentially funny thing to try and verify the validity of your online
banking server's certificate by asking them to send you a letter
containing the certificate fingerprint...

-Ralph


More information about the dovecot mailing list