[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: [cobalt-security] self signed certificate warnings
- Subject: Re: Re[2]: [cobalt-security] self signed certificate warnings
- From: Matthew Nuzum <cobalt@xxxxxxxxxxxxx>
- Date: 21 Feb 2002 10:56:00 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Thanks, these are some good points.
I am open to a wildcard cert for $400, and asked that if anyone had a
recommendation, to give it.
As far as this "local" ca is concerned, I am creating a somewhat "low
end" solution here and simply want to avoid some of the error messages
people are getting.
Thanks for the pointers in your e-mail, I was able to use that to get a
lot of detailed information.
Matt Nuzum
On Thu, 2002-02-21 at 01:40, Eugene Crosser wrote:
On Wed, 20 Feb 2002 16:26:56 -0800 Jeff Lasman <jblists@xxxxxxxxxxxxx> wrote:
> > > I know of ONE way that will take care of this problem definitively,
> and
> > > that is to buy a wildcard cert from Thawte. However, they now charge
> > > per domain, which is extremely limiting to me.
> >
> > Some CA's (Verisign?) can sell you a CA certificate that
> > would allow you to sign your sites' certificates, and
> > still have them recognized as valid by brousers. Of course
> > this is not cheap.
>
> Check www.geotrust.com. They've got a wildcard certificate available
> for *.yourdomain.com for us$400.
Usually you do not need a wildcard certificate. This is not
advertized, but browsers (most of them?) do a "suffix match"
on the CNAME. That is, purchase a certificate for "xyz.com",
and use it on the servers abc.xyz.com, def.xyz.com,
ghi.xyz.com - browsers will think that the name matches OK.
But I was talking about a *different* thing: that you can
buy a certificate that entitles you as a ("local") CA,
so that you can issue site certificates yourself.
I'd like to add that this whole CA business makes
me uneasy. Essentially, it is about making money out of
thin air (noticable income for a thing that requires near
zero work). As such, it inevitably attracts the lovers
of easy money rather than trustworthy businesses. Which
defeats the whole idea of a CA as a 100% trusted entity.
Eugene
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security