Subj : Re: Chromium and self-signed certificates To : Lawrence D'Oliveiro From : bp@www.zefox.net Date : Sun Sep 01 2024 16:28:43 Lawrence D'Oliveiro wrote: > On Sun, 1 Sep 2024 00:43:57 -0000 (UTC), bp wrote: > >> I thought the host certificate _became_ a CA >> certificate through the self-signing process..... So, I actually need >> _two_ certificates, one for the server and one for the signing >> authority, both created on the sesrver? > > A CA cert needs to be self-signed, since of course there is nobody higher > (within the SSL/TLS protocol, anyway) to vouch for a CA’s authenticity. > The OS (or the browser) typically comes with a set of CA certs that it > trusts, preinstalled. So any cert signed (directly or indirectly) by any > of these CAs becomes trusted as well. And you should be able to add to > these certs, or even remove them. > >> Presumably the client (a Pi5 running RasPiOS) already has created its >> own? > > Its own CA? Hard to think why it would. > Ah, only a host certificate is needed for an anonymous client, like my browser? >>> The procedure for being your own CA is a lot simpler in OpenSSL 3. I >>> have some notes here . >> >> Fortunately it seems OpenSSL 3 is installed. I'll try your exercise >> shortly > > I should mention that my example use of TLS/SSL is as a wrapper for an > entirely custom protocol, not related to HTTP/HTTPS. There are certain > requirements for certs used for HTTP/HTTPS, where the “subject” field must > contain the fully-qualified DNS name in the “CN=” part. That much I gathered. Still, it looks like there are are three uses for encrypted, authenticated communications between hosts: Mail, web traffic and remote logins. SSL is installed and working for remote logins on all the hosts under my control by default. Can a single ssl/tls configuration support all three services? Am I wrong to think of ssl and tls as one thing? Apologies for all the naive questions! bob prohaska --- SoupGate-Win32 v1.05 * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3) .