[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP/SSL and SSL Trust Chain?



Andrew,

Thankyou for the clear and concise clarification of the different
meanings of the term "self-signed" certificate. I indeed am using "closed
community" certs and not "self-signed" certs. Hopefully this term will
be adopted to avoid confusion in the future.
Paul

> There is a lot of confusion about self-signed certificates, partly
> because the term is now being used in two different ways:
>
> 1)	In the standards, a self-signed certificate is literally a
> 	certificate whose signature was generated using the key that
> 	the certificate refers to. All root certificates are of this
> 	form, since by definition there is no 'higher' certificate to
> 	sign them with: the *certificate* signs itself.
>
> 2)	A common usage has developed where the term 'self-signed
> 	certificate' refers to any certificate generated by an
> 	organisation or end-user without using the services of any
> 	commercial certification service.
>
> 	It might be better to refer to these as 'closed community'
> 	certificates because there is no public service for verifying
> 	them.
>
> Using the standard definition (1), it is wrong to use a self-signed
> certificate directly for a service: these are root-level certificates
> and should only be used for signing other certificates. This is a
> common error, and very few applications checked for it in the past.
> More checks are now done by OpenSSL at least, so service operators
> have to get this right.
>
> Thus if you want to avoid paying money to a public certificate
> provider (or if you cannot find one that will generate the form of
> certificate that you need) you must make at least two certs:
>
> 	Make yourself a root certificate. This is self-signed in both
> 	senses of the term. It should be marked as a
> 	certificate-signing certificate.
>
> 	Generate a key for your service. Use this to generate a
> 	certificate for the service, signed using your root
> 	certificate. This service certificate is *not* self-signed
> 	under the standard definition above, but like your root
> 	certificate it *is* a 'closed community' certificate.
>