On Fri, August 18, 2017 5:02 pm, Michael Felt wrote:
On 8/11/2017 1:29 PM, Ralph Seichter wrote:
And, Ralph, I salute you. I have never been able to be disciplined enough to be my own CA. I encourage you to look into the subject again.
I actually have been, which is why I could give a near sensible reply. Thanks for the encouragement!
With the advent of Let's Encrypt, free certs for the masses have become a thing, but if you need more than 3 months validity, want to create certs for Intranet-devices (routers, local servers), or just want maximum control over all certs, setting up your own CA is rewarding. While you're at it, no gentleman should not be without DNSSEC, DKIM and DANE these days. ;-) I should know all three, but, sadly, only one: two things to add to my list of things to research.
I have been reading this with some interest (while trying to migrate Dovecot, Postfix etc..)
BUT, for a public web server where https is becoming mandatory, I'd still need a certificate from a recognized publisher, to avoid users geting 'warnings', is that so ?
(I'm currently using self issued for both mail and web) Above - Ralph added: I also made my CA certs available for public download, so tech-savvy users can import the CA certs manually. Depending on your site-popularity (aka number of "random" users) you could also instruct them how to access your signing key. Once they had
On 8/18/2017 9:12 AM, voytek@sbt.net.au wrote: that, they would auto-magically, recognize any other keys you signed with your CA "roots".
In other words, if the work to you to instruct users to use your CA is more expensive than using a commercial CA - save money and use a commercial CA. Before spending any money on a commercial CA - look at alternatives such as Let's Encrypt. I am also looking at http://www.cacert.org/ (That might be something for you Ralph!)
thanks,
V