|
04-22-2005, 06:56 AM
|
#1 (permalink) |
|
Insane
Location: La la land
|
SSL Cert 128bit - Anyone make their own instead of buying?
I am looking to make a secure page for webmail that only I and one other person will be accessing. So I don't really want to pay for a cert each year from Verisign or Thawte, etc.
Anyone here make their own? How hard is it? Am I going to run into some sort of trust problem?
__________________
40 |
|
|
04-22-2005, 07:26 AM
|
#2 (permalink) | |
|
Professional Loafer
Location: texas
|
It's easy. Windows Server and linux come with it available. If you're just using it for yourself and one other person, thats fine. The only reason you would want one from Thawte or similar is because of credit card transactions over the web or outside clients/trusted others to be able to authenticate to your site.
I have a cert. server setup on an internal page here so we can use digital signature to sign documents and whatnot. This is only used on our intranet server. The certs. I have from Verisign are for our border web servers. It's not hard to install cert server and run it at all. The other person is going to have to make him a certificate on the cert server as well and you both accept each other's certificate. Also would tell you that SSL Certs. from Thawte and Verisign aren't cheap. I think 128-bit certs. are like $150 / yr. From Thawte's website: Quote:
__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane." Last edited by bendsley; 04-22-2005 at 07:29 AM.. |
|
|
|
|
04-22-2005, 07:28 AM
|
#3 (permalink) |
|
Insane
Location: La la land
|
Yeah I have just run into problems before that the thing always pops up that the certificate isn't from a trusted authority and even though I tried to accept it and trust it, it for some reason wouldn't take.
I didn't really care though with this because I don't want to spend money on a certificate from a trusted authority if it is only me and one person using it. Its not worth the money.
__________________
40 |
|
|
|
04-22-2005, 07:31 AM
|
#4 (permalink) |
|
Professional Loafer
Location: texas
|
If you run into problems like him and trusted authority, then you need to export your certificate and let him import it. That should take care of it.
__________________
"You hear the one about the fella who died, went to the pearly gates? St. Peter let him in. Sees a guy in a suit making a closing argument. Says, "Who's that?" St. Peter says, "Oh, that's God. Thinks he's Denny Crane." |
|
|
|
04-22-2005, 10:31 AM
|
#6 (permalink) |
|
Insane
|
http://www.cacert.org/
Free SSL certificates. The only thing you have to do is import their root certificate (since it isn't shipped by default by many current browsers). Therefore, you will still the untrusted site dialog ("This certificate comes from an untrusted source, what would you like to do?"), but: 1. You don't have to go through the trouble of trying to figure out how to create an SSL certificate yourself (You have to create your own root certificate, then create a certificate request and then sign your certificate request with your own root certificate, blah blah blah). 2. As time passes, the authority will gain more popularity and hopefully more trust. 3. It's free. You get what you pay for. Let's not forget that Versign is NOT worth any money. Why? I once bought a digital certificate that I could use to sign my e-mail. It cost me $10-20 if I remember, but in no way did they ask for any verifiable proof that I was who I said I was. What good is that? Certificates were created so that if in any event information was compromised, someone is definitely held accountable, and that you know exactly who it is. It is kind of like trading GPG keys - you don't ever trust a key unless at the very least you have seen their fingerprint and can verify their owner's identity (and you trust them).
__________________
"You looked at me as if I was eating runny eggs in slow motion." - Gord Downie of The Tragically Hip Last edited by trache; 04-22-2005 at 10:42 AM.. |
|
|
|
04-22-2005, 11:00 AM
|
#7 (permalink) |
|
I am Winter Born
Location: Alexandria, VA
|
Self-signed certificates (what you're discussing) open a particular hole in trusted communications: Man in the Middle Attacks. If you're doing any kind of business communications (or anything with sensitive data), you're really better off with a trusted third party-signed certificate (such as Verisign or Thawte). The point of the trusted third party is so that an attacker cannot position themselves between you and the computer you're talking to and eavesdrop/alter all communications.
Self-signed certificates allow an attacker to generate a certificate signed "by the same authority" as yours and just tell (the curious attackee) "Oh, we had to generate a new certificate, but it's still me. I promise." As to trache, the digital certificate isn't saying "I am Joe Bob Smith", it's saying "Everything signed this this certificate is coming from the same person." |
|
|
|
04-22-2005, 12:44 PM
|
#8 (permalink) |
|
Insane
Location: La la land
|
I installed a CA on my windows 2000 server, then I went through all the steps of making the cert.
So now it works.... but I am running into a crazy problem. In IE, it takes a good 30 or 40 seconds when going to the page for the box to pop up about the cert. In Firefox, it is immediate. I wouldn't care, but this is the ONLY site I use IE for, simply because it is Outlook Web Access and it sucks without active x. This guy is having the exact same issue... http://groups-beta.google.com/group/...2188e517a35115 I am going to try to follow the steps on that first MS knowledgebase article and see if it solves the issue...
__________________
40 |
|
|
| Tags |
| 128bit, buying, cert, make, ssl |
|
|
