INTL 3:770/1 3:770/3
REPLYADDR ldo@nz.invalid
REPLYTO 3:770/3.0 UUCP
MSGID: 1d5d3eb1
REPLY: a9f2ed77
PID: SoupGate-Win32 v1.05
On Sun, 1 Sep 2024 00:43:57 -0000 (UTC), bp wrote:
> I thought the host certificate _became_ a CA
> certificate through the self-signing process..... So, I actually need
> _two_ certificates, one for the server and one for the signing
> authority, both created on the sesrver?
A CA cert needs to be self-signed, since of course there is nobody higher
(within the SSL/TLS protocol, anyway) to vouch for a CA’s authenticity.
The OS (or the browser) typically comes with a set of CA certs that it
trusts, preinstalled. So any cert signed (directly or indirectly) by any
of these CAs becomes trusted as well. And you should be able to add to
these certs, or even remove them.
> Presumably the client (a Pi5 running RasPiOS) already has created its
> own?
Its own CA? Hard to think why it would.
>> The procedure for being your own CA is a lot simpler in OpenSSL 3. I
>> have some notes here .
>
> Fortunately it seems OpenSSL 3 is installed. I'll try your exercise
> shortly
I should mention that my example use of TLS/SSL is as a wrapper for an
entirely custom protocol, not related to HTTP/HTTPS. There are certain
requirements for certs used for HTTP/HTTPS, where the “subject” field must
contain the fully-qualified DNS name in the “CN=” part.
--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)
SEEN-BY: 10/0 1 90/1 103/705 105/81 106/201 124/5016 129/305 153/757
SEEN-BY: 153/7715 218/0 1 601 700 840 870 930 220/70 221/1 6 360 226/17
SEEN-BY: 226/30 100 227/114 229/110 111 114 200 206 300 317 400 426
SEEN-BY: 229/428 470 550 616 664 700 240/1120 266/512 267/800 282/1038
SEEN-BY: 291/111 292/854 301/1 113 812 310/31 320/219 322/757 335/364
SEEN-BY: 341/66 342/200 396/45 460/58 633/280 712/848 770/1 3 100
SEEN-BY: 770/330 340 772/210 220 230 5020/400 1042 5058/104 5075/35
PATH: 770/3 1 218/840 221/6 301/1 218/700 229/426
|
