How to trust my own self-signed SSL cert?

security web-server ssl ssl-certificate openssl
18,842

Solution 1

If you create your own certificate, generated from your own Certificate Authority, you can configure your browser of choice to trust that CA. That way it will trust the certificate you created from that CA. A random person creating a certificate with identical information to yours should cause your browser to throw SSL validation failure errors, since that certificate would not be signed by a CA you trust.

Solution 2

If you are the only one to use the domain, then a self-signed certificate is sufficient. Creating your own certificate means generating your own CA private key. As long as you can keep this private key secure, you then don't have to worry about anyone forging certificates. Without this private key it's impossible for anyone to generate a certificate with the same public key, and you will be able to tell by comparing the public keys.

Solution 3

You can save the CA public key file on a memory stick and import it into any browser you are using.

The file could also be on the web at an address you can easily remember.

It may be worth your time to look at joining CACert (http://www.cacert.org/) so you only have the one CA to worry about for multiple uses.

Share:
18,842
EEAA
Author by

EEAA

IT Director at a Minneapolis-area technology incubator. Husband. Father. AWS Expert. If you're in a bind and need some help, contact me and we'll see if we can work something out. Contact Info: erikerik (at) gmail (dot) com

Updated on September 17, 2022

Comments

  • EEAA
    EEAA over 1 year

    I have a domain that I want to have webmail on, and I want it to be secure. I'm the only one who uses this site, yet I still want it to be secure.

    I can't afford, and I don't think it makes sense to pay a CA to sign my cert.

    I have SSL working at the moment with my self signed cert...but I want to know if it is enough.

    If someone generates a self signed cert with the same info as my certificate, is there any way I can tell, short of memorizing the serial number or something?

    • gbroiles
      gbroiles over 13 years
      CA-signed certs are really not very expensive these days - it's possible to get one for < $15/year at GoDaddy or some Comodo resellers. StartSSL (www.startssl.com) will give you a basic CA-signed cert for free, though they want $50 to do the validation for more complicated certs (such as wildcard certs).
    • Admin
      Admin over 13 years
      Are there any free CA singed certs that are automatically in the browsers ring of trust?
    • gbroiles
      gbroiles over 13 years
      StartSSL is in newer browsers.
  • Admin
    Admin over 13 years
    How does that help with a mitm attack? If someone provides their own certificate for my domain with the same information, how would I be able to detect this ...unless I memorize some of the numbers unique to my certificate?
  • EEAA
    EEAA over 13 years
    Jacob - the point is that the information you enter while creating the certificate have nearly nothing to do with the randomly-generated part of the key. It would be next to impossible for someone to generate an identical key.
  • Admin
    Admin over 13 years
    The problem with this, is that the whole point of webmail is that I can check my email from computers that are not my own. I travel a lot, so I often use hotel computers, internet cafes etc. I want to be able to check my webmail securely. As my CA is not in a ring of trust, when I am on a new computer, I have to (in firefox) confirm the exception, and then allow the certificate. My question, is that if someone is doing a MITM attack on me, how can I know if I am allowing my certificate, or the attackers?
  • 86bornprgmr
    86bornprgmr over 13 years
    I thought of that, but what I want to secure is webmail. The point of this is that I often check my mail via webmail from internet cafes, hotel computers or whatever, maybe even a friends laptop. When I have to confirm that I trust the certificate, how can I differentiate my certificate from an attackers?
  • Deb
    Deb over 13 years
    @Jacob Ah, for THAT you will have to actually look at the cert. Most browsers allow you to at least view it before accepting it. You'll have to memorize some hex-numbers.
  • 86bornprgmr
    86bornprgmr over 13 years
    Ahh, so it does come down to memorizing the unique aspects of the cert. Dang...and thanks.
  • Rob Olmos
    Rob Olmos over 13 years
    OK I see your point, in that case it's memorizing the fingerprint as sysadmin1138 said. It may also be more secure to carry around a portable usb firefox. Also, don't forget the keyloggers.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Error while creating self-signed SSL certificate
How can the SSL client validate the server's certificate?
How to view all ssl certificates in a bundle?
Invalid CA certificate with self signed certificate chain
SSL certificate not accepted
How to create an OpenSSL Self-Signed Certificate using SAN?
Ubuntu 20.04 - how to set lower SSL security level?
What is the role of cakey.pem and cacert.pem in addition to .key and .crt based encryption
Security Warning: The Server you are connected to is using a security certificate that cannot be verified. The Target principal name is incorrect
MongoDB: Getting SSL peer certificate validation failed: self signed certificate