Stephen Frost wrote:
> * Peter Eisentraut (peter_e@gmx.net) wrote:
>
>> The new firefox just says "invalid certificate" and nothing else, and then
>> somewhere below there is a small link to "Add an exception" and you need a
>> total of four clicks to proceed. So that looks a lot like that they are
>> moving away from easily allowing unverifyable server certificates as well.
>>
>
> Yes, it's extremely obnoxious and hasn't actually changed anything. We
> often use certificates at work for internal web sites that aren't signed
> by the santified CAs simply because it's not worth it. That causes
> problems for our users when they're going to sites that are about a
> billion times less likely to have been cracked into than Joe's crab shop
> out on the internet. Encouraging people to believe that the PKI that's
> currently being used for the web is actually meaningful is really the
> first mistake.
>
for self-signed certs, you first create a rootca, you can import the
rootca public key/cert to your browser, by offering it as the proper
mime type (I forget the specifics), once accepted into your browser, the
browser will trust any certs created off that root, same as if they are
signed by any of the 'commercial' CAs.. of course, if you do this,
you need to keep your rootca private keys safe.
