Sujet : Re: Chromium and self-signed certificates
De : <bp (at) *nospam* www.zefox.net>
Groupes : comp.sys.raspberry-piDate : 01. Sep 2024, 01:43:57
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <vb0dcd$17650$2@dont-email.me>
References : 1 2 3 4 5
User-Agent : tin/2.6.2-20221225 ("Pittyvaich") (FreeBSD/14.0-RELEASE-p9 (arm64))
Lawrence D'Oliveiro <
ldo@nz.invalid> wrote:
On Sat, 31 Aug 2024 00:54:42 -0000 (UTC), bp wrote:
The command to generate the self-signed certificate and key pair was
openssl req -new -x509 -days 365 -sha3-512 -keyout host.key -out host.crt
based on instructions from
https://docs.freebsd.org/en/books/handbook/security/ combined with some
private correspondence suggesting it worked correctly.
I had a look at those instructions, and they don’t mention how to
generate the actual CA cert. Having your own CA cert means you only
have to import it once into a browser (or other SSL/TLS client), and
it will thereafter trust all certs signed by this CA.
>
Ok, that explains a lot. I thought the host certificate _became_ a
CA certificate through the self-signing process..... So, I actually
need _two_ certificates, one for the server and one for the signing
authority, both created on the sesrver? Presumably the client (a Pi5
running RasPiOS) already has created its own?
The procedure for being your own CA is a lot simpler in OpenSSL 3. I
have some notes here <https://gitlab.com/ldo/ssl_try_python/>.
Fortunately it seems OpenSSL 3 is installed. I'll try your exercise
shortly
You've cleared up vast confusion, thank you!
bob prohaska
Chromium and self-signed certificates
Re: Chromium and self-signed certificates
