Subj : Re: Chromium and self-signed certificates
To   : All
From : Lawrence D'Oliveiro
Date : Sun Sep 01 2024 07:46:27

On Sun, 1 Sep 2024 00:43:57 -0000 (UTC), bp wrote:

> I thought the host certificate _became_ a CA
> certificate through the self-signing process..... So, I actually need
> _two_ certificates, one for the server and one for the signing
> authority, both created on the sesrver?

A CA cert needs to be self-signed, since of course there is nobody higher
(within the SSL/TLS protocol, anyway) to vouch for a CA’s authenticity.
The OS (or the browser) typically comes with a set of CA certs that it
trusts, preinstalled. So any cert signed (directly or indirectly) by any
of these CAs becomes trusted as well. And you should be able to add to
these certs, or even remove them.

> Presumably the client (a Pi5 running RasPiOS) already has created its
> own?

Its own CA? Hard to think why it would.

>> The procedure for being your own CA is a lot simpler in OpenSSL 3. I
>> have some notes here <https://gitlab.com/ldo/ssl_try_python/>.
>
> Fortunately it seems OpenSSL 3 is installed. I'll try your exercise
> shortly

I should mention that my example use of TLS/SSL is as a wrapper for an
entirely custom protocol, not related to HTTP/HTTPS. There are certain
requirements for certs used for HTTP/HTTPS, where the “subject” field must
contain the fully-qualified DNS name in the “CN=” part.

--- SoupGate-Win32 v1.05
 * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

.