[Ach] Certificate Authorities and Self-signed crap

Philipp Gühring pg at futureware.at
Sat Dec 14 21:24:37 CET 2013


> >> Now I’m the first to point out that CAs are basically snake-oil and
> do nothing but print money *. But: as the state of the internet is, we
> need them. We’re recommending stuff to operations people, not your
> casual hacker running his DEC Alpha with strong crypto to serve his
> friends. Because of this, we should clearly state that self-signed
> certificates cause a lot of trouble
> > Depends on the context. 

> > Sometimes running an OpenVPN with certificates issued by an official
> CA is asking for more trouble than running your own CA.

Yes, for the VPN clients recommend running your own CA. 
For the server certs (especially for SSLVPNs), running with a official CA
is likely better.

Another important point when using external CA´s:
Do not let the CA issue the secret key for you:
Make sure you create your own secret key, and your own certificate signing
request (CSR) before you contact the CA.
Then send that CSR to the CA, and make sure that the certificate you get
matches your own private key.
(Unfortunately, some commercial CA´s are offering to create your keys for
you, which makes it easier for the user, but this makes Lavabit like
attacks theoretically possible. I don´t want to name names, but people
should be careful)

Best regards,
Philipp Gühring

More information about the Ach mailing list