OpenSSL
From Wiki.mattrude.com
Contents |
Certificate Authority
- http://sial.org/howto/openssl/ca/
- http://mirin.apnic.net/resourcecerts/wiki/index.php/Minimal_OpenSSL#Self-Signed_certificate.2C_from_private_key
Creating a Certificate Authority
Revoking a Certificate
Self-signed SSL certificates
Self-signed SSL certificates are the easiest way to get your SSL server working. However unless you take some action to prevent it, this is at the cost of security:
- The first time the client connects to the server, it sees the certificate and asks the user whether to trust it. The user of course doesn't really bother verifying the certificate's fingerprint, so a man-in-the-middle attack can easily bypass all the SSL security, steal the user's password and so on.
- If the client was lucky enough not to get attacked the first time it connected, the following connections will be secure as long as the client had permanently saved the certificate. Some clients do this, while others have to be manually configured to accept the certificate.
The only way to be fully secure is to import the SSL certificate to client's (or operating system's) list of trusted CA certificates prior to first connection. See SSL/CertificateClientImporting how to do it for different clients.
