Hi Chris, In your case, it doesn't sound like putting a CA on your web-server will provide any extra security. The only secure way to ensure your client is connected to the server it expect to be, is for someone to manually copy(out of band perfered) the certificate of the server and load it on the client before the first session. This does not scale for the Internet so CAs were invented. CAs can generate a certificate for itself or have it generated by another CA. I'll only talk about self-generation here. Someone has to manually copy this self-generated certificate onto all clients. Now, this CA can sign certificates for other servers. All clients with your CA's certificate will "trust" certificates sign that your CA. Normally, your browers already has a set of CA certificates that your vendor deems trustworthy. You must add your own CA's certificate to all PCs manually to protect against the man-in-the-middle-attack. Otherwise, having a CA or your server signing its own certificate is no different. This is a very simplified explanation of CAs. If you choose to implemenat a CA, please do NOT put the CA on the same machine as you apache server. That's the most insecure thing you can do. -Sherwin --- Chris de Vidal <cdevidal@xxxxxxxxx> wrote: > I'm implimenting an intranet web server and will > need SSL. I know of the > dangers of using a self-signed certificate. I see > it is trivial to create a > Certificate Authority (CA) but is it really more > secure? In other words, > couldn't someone still craft a man-in-the-middle > attack? > > Ideally, I'd place the CA on the same box as the web > server, but I can move it > if that's more secure. > > ===== > /dev/idal > "GNU/Linux is free freedom" --Me > > __________________________________ > Do you Yahoo!? > Exclusive Video Premiere - Britney Spears > http://launch.yahoo.com/promos/britneyspears/ > ------------------------------------------------------------------------ > To unsubscribe email > security-discuss-request@xxxxxxxxxxxxxxxxx > with "unsubscribe" in the subject of the > message. > ===== Best Regards, Sherwin Lu __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message.
