[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP/SSL and SSL Trust Chain?
Andrew,
Thankyou for the clear and concise clarification of the different
meanings of the term "self-signed" certificate. I indeed am using "closed
community" certs and not "self-signed" certs. Hopefully this term will
be adopted to avoid confusion in the future.
Paul
> There is a lot of confusion about self-signed certificates, partly
> because the term is now being used in two different ways:
>
> 1) In the standards, a self-signed certificate is literally a
> certificate whose signature was generated using the key that
> the certificate refers to. All root certificates are of this
> form, since by definition there is no 'higher' certificate to
> sign them with: the *certificate* signs itself.
>
> 2) A common usage has developed where the term 'self-signed
> certificate' refers to any certificate generated by an
> organisation or end-user without using the services of any
> commercial certification service.
>
> It might be better to refer to these as 'closed community'
> certificates because there is no public service for verifying
> them.
>
> Using the standard definition (1), it is wrong to use a self-signed
> certificate directly for a service: these are root-level certificates
> and should only be used for signing other certificates. This is a
> common error, and very few applications checked for it in the past.
> More checks are now done by OpenSSL at least, so service operators
> have to get this right.
>
> Thus if you want to avoid paying money to a public certificate
> provider (or if you cannot find one that will generate the form of
> certificate that you need) you must make at least two certs:
>
> Make yourself a root certificate. This is self-signed in both
> senses of the term. It should be marked as a
> certificate-signing certificate.
>
> Generate a key for your service. Use this to generate a
> certificate for the service, signed using your root
> certificate. This service certificate is *not* self-signed
> under the standard definition above, but like your root
> certificate it *is* a 'closed community' certificate.
>