Sujet : Re: Chromium and self-signed certificates
De : ldo (at) *nospam* nz.invalid (Lawrence D'Oliveiro)
Groupes : comp.sys.raspberry-piDate : 01. Sep 2024, 08:46:27
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <vb164i$1dlt4$11@dont-email.me>
References : 1 2 3 4 5 6
User-Agent : Pan/0.160 (Toresk; )
On Sun, 1 Sep 2024 00:43:57 -0000 (UTC), bp wrote:
I thought the host certificate _became_ a CA
certificate through the self-signing process..... So, I actually need
_two_ certificates, one for the server and one for the signing
authority, both created on the sesrver?
A CA cert needs to be self-signed, since of course there is nobody higher
(within the SSL/TLS protocol, anyway) to vouch for a CA’s authenticity.
The OS (or the browser) typically comes with a set of CA certs that it
trusts, preinstalled. So any cert signed (directly or indirectly) by any
of these CAs becomes trusted as well. And you should be able to add to
these certs, or even remove them.
Presumably the client (a Pi5 running RasPiOS) already has created its
own?
Its own CA? Hard to think why it would.
The procedure for being your own CA is a lot simpler in OpenSSL 3. I
have some notes here <https://gitlab.com/ldo/ssl_try_python/>.
Fortunately it seems OpenSSL 3 is installed. I'll try your exercise
shortly
I should mention that my example use of TLS/SSL is as a wrapper for an
entirely custom protocol, not related to HTTP/HTTPS. There are certain
requirements for certs used for HTTP/HTTPS, where the “subject” field must
contain the fully-qualified DNS name in the “CN=” part.
Chromium and self-signed certificates
Re: Chromium and self-signed certificates
