Oh, I think it's just because my browser (like almost all other browsers
on the internet) won't trust a self-signed certificate you create
yourself. On the other hand almost all internet browsers will trust
certificates signed by Thawte or Verisign because teir CA certs are
included in most browser's initial list of trusted CAs.
So if you can get your CA certificate included in Microsoft's and
Mozilla's CA list (which is possible but IMHO not trivial, and it will
cost you some money) you could sell certificates just like Thawte and
I have an application that is wanting me to add an OpenSSL certificate to my server, but the application will be communicating server-to-server over SSL. Therefore, the browser "problem" won't be one, right?
> I have an application that is wanting me to add an OpenSSL certificate
> to my server, but the application will be communicating server-to-server
> over SSL. Therefore, the browser "problem" won't be one, right?
This is actually a very complex question, and anyone who answers it without
first asking you what your application is and what threats it needs to
protect against is doing you a disservice.
The purpose of a third-party certificate is to validate the identity of the
endpoint presenting that certificate. Whether or not you need this depends
1) Do you need to validate the identity of the endpoint?
2) Is testing for a certificate from a trusted third party sufficient? (Do
we trust them enough? How secure do we need to be?)
3) Do we have any other way to validate the endpoint? For example, can we
embed its public key in the application?
From: [hidden email] [mailto:[hidden email]] On Behalf Of lwoods (sent by
Sent: Saturday, December 03, 2005 10:22 AM
To: [hidden email] Subject: Ignorant of SSL: I have a dumb question
I don't understand why anyone would spend the money for Verisign or Thawte
for a certificate if you could use OpenSSL.
Can you explain...or point me to some white paper, etc. that would explain
this for me.
Sent from the OpenSSL - User forum at Nabble.com:
Ignorant of SSL: I have a dumb question