[Ach] Help: Creating my own certificates for my own server

Adi Kriegisch adi at kriegisch.at
Thu Nov 13 08:31:24 CET 2014


> At the beginning I created my own root cert, certs for each service, ...
> As I learned from bettercrypto.org, talking to others and checking my server with several tools, that this was not a good decision.
No, that is not what we're saying, I hope... ;-)

> First: The cert was created using SHA1 which is reported as weak.
This is fixable: For the root certificate it does not matter that much and
the server/service certificates are replaceable (and signable with SHA256,
SHA384 or SHA512).

> Second: Creating an own root cert may be a security risk due to MITM attacks if all users of my services will add it to the trust list.
No. The exact opposite is true: your users are at risk when they do *not* add
your root to all their devices. The risk is to make users used to
certficate errors and train them to click those messages away.

> Please help or give hints, what is the best practice to create the cert(s) in this scenario.
Education! :) Train your users...
(or buy some snake oil)
(or as a more long-term solution wait for the new certificate pinning standards that are
arising atm to become mature and wide-spread)

-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20141113/5f99af8a/attachment.sig>

More information about the Ach mailing list