[ale] SSL Certs for $14.95

Michael H. Warfield mhw at WittsEnd.com
Thu Apr 6 12:15:00 EDT 2006


On Thu, 2006-04-06 at 09:54 -0400, James P. Kinney III wrote:
> On Thu, 2006-04-06 at 09:02 -0400, Christopher Fowler wrote:
> > As soon as I get off Earthlink then I can get the servers in DNS and get
> > my certs signed.
> > 
> I have signed certs for just an IP address for one client. Apache is
> configured to use the IP as the server name and the cert is just fine
> with that.

	This is the first I have ever heard of anything like this.  You
actually got one of the well known global CA's to sign such a thing?
Last time I had a cert from Verisign or Thawte, I had to provide some
level (not much with Thawte, but still some) that I owned the DN in the
cert or had rights to it.  Now, I'll admit, several of the CA's have
been caught with their pants down permitting things like software
signing certs proclaiming to be from Microsoft and other such nonsense,
but a cert tied to an IP (and a provider based IP, no less, and not a PI
IP address) just seems way out of line.

> The only thing the cert with a real servername does (instead of an IP
> address) is it makes it possible to transfer the web server to a new
> hosting environment and just copy over the cert. As long as the server
> name is the same, all is good.  In the case of my guy with the IP
> address, he changed ISP and thus got a new IP address for his server.
> That required him to buy a new cert.

	That just seems wrong, on several levels.  Not that he had to get
another cert but that a CA was stupid enough to sign an IP based server
certificate in the first place.  I guess, if you are willing enough to
pay them enough money, but where was their due diligence in validating
rights to use that IP address?

> But also heed Mike Warfields warning about client certs. If hardware
> clients are going to access the server without users looking at a
> screen, you don't need a signed cert. Set up a CA machine and use it to
> generate the cert for the server and then use it to sign the client
> certs. Make a client cert for each physical client. You will need to
> import the CA cert into each client system in order to use your new CA
> system. That is the same security as having a Thawte cert accepted as a
> CA in Firefox. 

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list