delegating SSL certificates
Dave Howe
DaveHowe at gmx.co.uk
Sat Mar 15 18:41:15 EDT 2008
travis+ml-cryptography at subspacefield.org wrote:
> So at the company I work for, most of the internal systems have
> expired SSL certs, or self-signed certs. Obviously this is bad.
Sorta. TLS gets along with self signed just fine though, and obviously
you can choose to accept a root or unsigned cert on a per-client basis.
> I know that if we had IT put our root cert in the browsers, that we
> could then generate our own SSL certs.
sure. for IE its just a registry key, trivial to push out using login
scripts etc.
> Are there any options that don't involve adding a new root CA?
buying a intermediate cert from an existing CA? buying a "wildcard" cert
for your domain, and using the same wildcard cert on all nodes?
> I would think this would be rather common, and I may have heard about
> certs that had authority to sign other certs in some circumstances...
at one point, you could use *any* cert to sign another cert; IE didn't
bother checking. I believe they have fixed that now.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list