How to trust my own self-signed SSL cert?
Solution 1
If you create your own certificate, generated from your own Certificate Authority, you can configure your browser of choice to trust that CA. That way it will trust the certificate you created from that CA. A random person creating a certificate with identical information to yours should cause your browser to throw SSL validation failure errors, since that certificate would not be signed by a CA you trust.
Solution 2
If you are the only one to use the domain, then a self-signed certificate is sufficient. Creating your own certificate means generating your own CA private key. As long as you can keep this private key secure, you then don't have to worry about anyone forging certificates. Without this private key it's impossible for anyone to generate a certificate with the same public key, and you will be able to tell by comparing the public keys.
Solution 3
You can save the CA public key file on a memory stick and import it into any browser you are using.
The file could also be on the web at an address you can easily remember.
It may be worth your time to look at joining CACert (http://www.cacert.org/) so you only have the one CA to worry about for multiple uses.
EEAA
IT Director at a Minneapolis-area technology incubator. Husband. Father. AWS Expert. If you're in a bind and need some help, contact me and we'll see if we can work something out. Contact Info: erikerik (at) gmail (dot) com
Updated on September 17, 2022Comments
-
EEAA over 1 year
I have a domain that I want to have webmail on, and I want it to be secure. I'm the only one who uses this site, yet I still want it to be secure.
I can't afford, and I don't think it makes sense to pay a CA to sign my cert.
I have SSL working at the moment with my self signed cert...but I want to know if it is enough.
If someone generates a self signed cert with the same info as my certificate, is there any way I can tell, short of memorizing the serial number or something?
-
gbroiles over 13 yearsCA-signed certs are really not very expensive these days - it's possible to get one for < $15/year at GoDaddy or some Comodo resellers. StartSSL (www.startssl.com) will give you a basic CA-signed cert for free, though they want $50 to do the validation for more complicated certs (such as wildcard certs).
-
Admin over 13 yearsAre there any free CA singed certs that are automatically in the browsers ring of trust?
-
gbroiles over 13 yearsStartSSL is in newer browsers.
-
-
Admin over 13 yearsHow does that help with a mitm attack? If someone provides their own certificate for my domain with the same information, how would I be able to detect this ...unless I memorize some of the numbers unique to my certificate?
-
EEAA over 13 yearsJacob - the point is that the information you enter while creating the certificate have nearly nothing to do with the randomly-generated part of the key. It would be next to impossible for someone to generate an identical key.
-
Admin over 13 yearsThe problem with this, is that the whole point of webmail is that I can check my email from computers that are not my own. I travel a lot, so I often use hotel computers, internet cafes etc. I want to be able to check my webmail securely. As my CA is not in a ring of trust, when I am on a new computer, I have to (in firefox) confirm the exception, and then allow the certificate. My question, is that if someone is doing a MITM attack on me, how can I know if I am allowing my certificate, or the attackers?
-
86bornprgmr over 13 yearsI thought of that, but what I want to secure is webmail. The point of this is that I often check my mail via webmail from internet cafes, hotel computers or whatever, maybe even a friends laptop. When I have to confirm that I trust the certificate, how can I differentiate my certificate from an attackers?
-
Deb over 13 years@Jacob Ah, for THAT you will have to actually look at the cert. Most browsers allow you to at least view it before accepting it. You'll have to memorize some hex-numbers.
-
86bornprgmr over 13 yearsAhh, so it does come down to memorizing the unique aspects of the cert. Dang...and thanks.
-
Rob Olmos over 13 yearsOK I see your point, in that case it's memorizing the fingerprint as sysadmin1138 said. It may also be more secure to carry around a portable usb firefox. Also, don't forget the keyloggers.