Martin Pitt <mpitt@debian.org> writes:
> Tom Lane [2009-04-10 19:01 -0400]:
>> How do you deal with that? If the root cert is real, how do you put
>> in self-signed server certs?
> I'm afraid I don't understand. If an admin replaces the default
> snakeoil cert with a real one which he got signed by a CA, then of
> course he would replace the standard system SSL cert (which all the
> servers default to, and which is initially the snakeoil one) with the
> "good" certificate. I don't see a reason why an admin would replace a
> self-signed cert with another self-signed cert?
What I'm wondering about, given your emphasis on system-wide certs,
is how you deal with the fact that some apps (like web browsers)
are going to need a "real" root certificate, but you also want to
have a self-signed certificate that isn't traceable to the real
root. This may just indicate my ignorance of standard SSL operating
procedures ...
regards, tom lane
