On Fri, June 17, 2016 11:06, Walter H. wrote: > On 17.06.2016 16:46, James B. Byrne wrote: >> On Thu, June 16, 2016 13:53, Walter H. wrote: >>> On 15.06.2016 16:17, Warren Young wrote: >>>> but it also affects the other public CAs: you canâ??t get a >>>> publicly-trusted cert for a machine without a publicly-recognized >>>> and -visible domain name. For that, you still need to use >>>> self-signed certs or certs signed by a private CA. >>>> >>> A private CA is the same as self signed; >>> >> No it is not. A private CA is as trustworthy as the organisation >> that >> operates it. No more and not one bit less. >> >> We operate a private CA for our domain and have since 2005. We >> maintain a public CRL strictly in accordance with our CPS and have >> our >> own OID assigned. > for your understanding: every root CA certificate is self signed; > any SSL certificate that was signed by a CA not delivered as built-in > token in a browser is the same as self-signed; > > > For your understanding, a self-signed certificate is one that has been signed by itself. Naturally ALL root certificates are self-signed. The self-signed root cert is then used to sign a subordinate CA issuing cert and that issuing cert is used to sign other subordinate CAs and / or end-user certs depending upon the permissions given it by the original signing certificate. This establishes the certificate trust chain. If website presents an actual self-signed cert to Firefox for example, it will refuse it. I suppose there is a way to circumvent this behaviour but I am not aware of it. If you present a certificate that is not self-signed but is signed by an authority whose root certificate chain is not in the trusted root store then Firefox gives you a warning -- as given in a preceding message 'net::ERR_CERT_AUTHORITY_INVALID' -- but it none-the-less allows you to accept the certificate as an exception and proceed to the website. If you do not want to get warnings and you trust the issuer then you can add their issuing CA cert chain to your trusted root certificate store. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos