ssmithisme Posted July 26, 2009 Posted July 26, 2009 I need some SSL certificates. Does anyone know of a good tutorial on how to generate SSL certs without using a certificate authority? Im fairly certain that it is possible to make them without creating a CA/ Host machine is ubuntu server 9.04 Quote
Sparda Posted July 27, 2009 Posted July 27, 2009 http://www.akadia.com/services/ssh_test_certificate.html Using a self signed cert will make every browser prompt the user with "Are you sure you want to do this?". In addition to this, the security gain is questionable as self signed certs are vulnerable to MITM attacks. They are only properly useful for internal use (where the CA is deployed to every computer) and also testing that some thing works over SSL before buying a proper cert. Quote
Oneiroi Posted July 27, 2009 Posted July 27, 2009 http://www.akadia.com/services/ssh_test_certificate.html Using a self signed cert will make every browser prompt the user with "Are you sure you want to do this?". In addition to this, the security gain is questionable as self signed certs are vulnerable to MITM attacks. They are only properly useful for internal use (where the CA is deployed to every computer) and also testing that some thing works over SSL before buying a proper cert. That said self signed certs are useful when you do not need a 'client facing' ssl secured page, i.e. a web service, as PHP has a major problem verifying SSL certs most developers choose to disable this check, I would only use this in the case where you want network level security (SSL encryption of transmitted data, PCI compliance etc ...) Again this doesn't stop the MITM attacks, an additional step is to lockdown the access by IP address and even the device MAC, but then these too can be circumvented, it depends what you are trying to achieve. If it is just a web service between two servers, an SSH SOCKS tunnel to the server running the webservice, which is then locked down to only allow access to localhost using htaccess, would be a way to secure this. Anyway This is going off at a tangent, just some food for thought. Quote
ssmithisme Posted July 27, 2009 Author Posted July 27, 2009 It would be used as a certificate for HTTP, just to encrypt traffic. And a MITM attack wouldnt mean much unless the attacker has the private key, correct? Quote
Sparda Posted July 27, 2009 Posted July 27, 2009 Well no, they can just use there own certificate in a MITM attack since it would be as genuine as the one you made. Unless the browser knows about your CA, the attackers CA (probably using the same name) will look the same to the end user. Quote
ssmithisme Posted July 27, 2009 Author Posted July 27, 2009 Well no, they can just use there own certificate in a MITM attack since it would be as genuine as the one you made. Unless the browser knows about your CA, the attackers CA (probably using the same name) will look the same to the end user. Oh yea. now I remember. lol. just has a brain fart. Quote
Sparda Posted July 27, 2009 Posted July 27, 2009 Because they don't want to buy the certificates? Because they are lazy and don't want to sign them (they are probably a CA)? Quote
ssmithisme Posted July 27, 2009 Author Posted July 27, 2009 Because they don't want to buy the certificates? Because they are lazy and don't want to sign them (they are probably a CA)? yea, I edited that part out of the post as soon as you saw it I geuss. lol But that tutorial looks pretty straight forward. Im gonna give it a go. Quote
Brian Sierakowski Posted July 29, 2009 Posted July 29, 2009 Ya, the idea with certificates is that you can verify with a trusted 3rd party, if you skip the 3rd party you don't have too much more then the machine claiming it's own legitimacy. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.