--- sherwin Lu <shihminlu@xxxxxxxxx> wrote: > Normally, your browers already has a set of CA > certificates that your vendor deems trustworthy. You > must add your own CA's certificate to all PCs manually > to protect against the man-in-the-middle-attack. > Otherwise, having a CA or your server signing its own > certificate is no different. Since writing this email, I've created my CA on the same server and used Active Directory to automatically trust the CA (and thus any certificates it creates). Since the trust has already been established, I believe we are now secure. > This is a very simplified explanation of CAs. If you > choose to implemenat a CA, please do NOT put the CA on > the same machine as you apache server. That's the > most insecure thing you can do. Other than ensuring the browser trusts the CA (done), what other risks are there that I should be aware of? It's not too late to move the CA if I am made aware of something else. ===== /dev/idal "GNU/Linux is free freedom" --Me __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message.
