Jump to content

Recommended Posts

Posted

I need some SSL certificates.

Does anyone know of a good tutorial on how to generate SSL certs without using a certificate authority?

Im fairly certain that it is possible to make them without creating a CA/

Host machine is ubuntu server 9.04

Posted

http://www.akadia.com/services/ssh_test_certificate.html

Using a self signed cert will make every browser prompt the user with "Are you sure you want to do this?". In addition to this, the security gain is questionable as self signed certs are vulnerable to MITM attacks.

They are only properly useful for internal use (where the CA is deployed to every computer) and also testing that some thing works over SSL before buying a proper cert.

Posted
http://www.akadia.com/services/ssh_test_certificate.html

Using a self signed cert will make every browser prompt the user with "Are you sure you want to do this?". In addition to this, the security gain is questionable as self signed certs are vulnerable to MITM attacks.

They are only properly useful for internal use (where the CA is deployed to every computer) and also testing that some thing works over SSL before buying a proper cert.

That said self signed certs are useful when you do not need a 'client facing' ssl secured page, i.e. a web service, as PHP has a major problem verifying SSL certs most developers choose to disable this check, I would only use this in the case where you want network level security (SSL encryption of transmitted data, PCI compliance etc ...)

Again this doesn't stop the MITM attacks, an additional step is to lockdown the access by IP address and even the device MAC, but then these too can be circumvented, it depends what you are trying to achieve.

If it is just a web service between two servers, an SSH SOCKS tunnel to the server running the webservice, which is then locked down to only allow access to localhost using htaccess, would be a way to secure this.

Anyway This is going off at a tangent, just some food for thought.

Posted

Well no, they can just use there own certificate in a MITM attack since it would be as genuine as the one you made. Unless the browser knows about your CA, the attackers CA (probably using the same name) will look the same to the end user.

Posted
Well no, they can just use there own certificate in a MITM attack since it would be as genuine as the one you made. Unless the browser knows about your CA, the attackers CA (probably using the same name) will look the same to the end user.

Oh yea. now I remember. lol. just has a brain fart.

Posted
Because they don't want to buy the certificates? Because they are lazy and don't want to sign them (they are probably a CA)?

yea, I edited that part out of the post as soon as you saw it I geuss. lol

But that tutorial looks pretty straight forward. Im gonna give it a go.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...