Andrew McGlashan via luv-main <luv-main@luv.asn.au> writes:
On 15/04/2016 4:51 PM, Rick Moen via luv-main wrote:
Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
letsencrypt perhaps? It works very well.
It (https://letsencrypt.org/, a recently invented, automated, no-charge CA) solves the one specific problem it set out to solve, well. And it's commendably well intended & benevolent.
[But the CA model is incorrigibly broken.]
https://en.wikipedia.org/wiki/Trust_on_first_use This model has worked well for OpenSSH for a long time. There is some recent(ish) discussion about applying it to "the web": https://blogs.fsfe.org/jens.lechtenboerger/2014/03/10/certificate-pinning-wi... https://blogs.fsfe.org/jens.lechtenboerger/2014/03/23/certificate-pinning-fo... https://blogs.fsfe.org/jens.lechtenboerger/2014/04/05/certificate-pinning-fo... Short version is: it's not ready for "normal" users.
Still, I've used self-signed certs too over the years and only occasionally tried out other options ... for me, right now, letsencrypt is better due to how the main browsers are setting up users to distrust anything that doesn't come from a CA (however untrustworthy CAs might be).
Making your own autonomous CA (and creating certs from it) is not much harder than making a self-signed cert. The GNUTLS manual essentially explains exactly how to do it, and it's CLI options are *vastly* clearer than the OpenSSL ones.