On 18.08.2017 09:12, voytek@sbt.net.au wrote:
for a public web server where https is becoming mandatory, I'd still need a certificate from a recognized publisher, to avoid users geting 'warnings', is that so ?
For a certificate to be reported as "valid", an unbroken chain of cryptographic signatures is required. Browsers are released with a set of Root CA and Intermediate CA certificates, as are operating systems. Some use the Mozilla CA Certificate Store[1], for example, others come with their own CA stores, like macOS[2].
[1] https://www.mozilla.org/en-US/about/governance/policies/security-group/certs... [2] https://support.apple.com/en-us/HT202858
Unless your web server certificate's signature chain originates from one of the CAs delivered with a web browser or OS, the end user connecting to your site will either have to manually add the required CAs, or add your server certificate, or be presented with a warning/error message.
One could argue that relying on certificate stores is placing personal security concerns in other people's hands. Of course, it would be a potentially funny thing to try and verify the validity of your online banking server's certificate by asking them to send you a letter containing the certificate fingerprint...
-Ralph