Re: Chromium and self-signed certificates

Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Sun, 1 Sep 2024 00:43:57 -0000 (UTC), bp wrote:
 

I thought the host certificate _became_ a CA
certificate through the self-signing process..... So, I actually need
_two_ certificates, one for the server and one for the signing
authority, both created on the sesrver?

 
A CA cert needs to be self-signed, since of course there is nobody higher
(within the SSL/TLS protocol, anyway) to vouch for a CA’s authenticity.
The OS (or the browser) typically comes with a set of CA certs that it
trusts, preinstalled. So any cert signed (directly or indirectly) by any
of these CAs becomes trusted as well. And you should be able to add to
these certs, or even remove them.
 

Presumably the client (a Pi5 running RasPiOS) already has created its
own?

 
Its own CA? Hard to think why it would.
 

Ah, only a host certificate is needed for an anonymous client, like
my browser?

The procedure for being your own CA is a lot simpler in OpenSSL 3. I
have some notes here <https://gitlab.com/ldo/ssl_try_python/>.

 
Fortunately it seems OpenSSL 3 is installed. I'll try your exercise
shortly

 
I should mention that my example use of TLS/SSL is as a wrapper for an
entirely custom protocol, not related to HTTP/HTTPS. There are certain
requirements for certs used for HTTP/HTTPS, where the “subject” field must
contain the fully-qualified DNS name in the “CN=” part.

That much I gathered. Still, it looks like there are are three uses for
encrypted, authenticated communications between hosts: Mail, web traffic
and remote logins. SSL is installed and working for remote logins on all
the hosts under my control by default. Can a single ssl/tls configuration
support all three services? Am I wrong to think of ssl and tls as one thing?

Apologies for all the naive questions!

bob prohaska