New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
cacert.org certificates? anyone?
Hi
I'm reading this http://docs.openvpn.net/how-to-tutorialsguides/administration/installing-and-managing-ssl-web-certificates-in-openvpn-access-server/
And I'd like to know if a free cert from cacert will suffice for using with openvpn to connect to my vps from home/school network.
Also, would it be right to use the same cert for HTTPS?
Same question goes for google play apps..
Comments
If you're installing your own OpenVPN server, even a self-signed cert will be enough for openvpn. Just generate your own with OpenSSL. No need for a CA-signed cert in OpenVPN as you're manually putting your server cert in client config, no matter signed or not.
Yes, you can use the same pair for the HTTPS. But if you will enable public HTTPS it might posses some security issues when used with openvpn too. It doesn't gives a security hole by itself, but exposes info which might be useful for an attacker.
You'll need to have a recognized, valid CA signed cert only if you are providing access for a 3rd parties to your SSL-enabled services. When you're the only person using it, you always have your server certificate and can install it, so no need for a recognized CA.
So I could use a self-signed cert for openvpn and google play apps. Made clear
Now about public HTTPS access, I may need to secure some services like ghost blog registration and login process (or facebook canvas apps). So using a cacert.org certificate will do the trick?
Thanks a lot for the help!
I wish cacert.org was a thing... Great thought through - if money and greed wasn't so involved in SSL authorities.
It is not only that, copies of those certificates need to be handled to certain agencies and governments so they can impersonate various institutions and content providers to phish for undesirables. The only safe way is self-signed, or will soon be.
Now that I go to the "Join" section of cacert.org I get a big "The site's security certificate is not trusted!" orange warning from chrome. I'm guessing this is going to happen to users entering my sites if I use this kind of certificate for my HTTPS protocol...
http://en.wikipedia.org/wiki/CAcert.org
@nstorm thanks for that
I just found this in bugzilla from year 2007, so I guess this answers some questions
I apologize to those who helped me with their answers, I should have made a bit more research work before making a thread 'bout it.
Ian Grigg 2007-04-26 14:15:01 PDT
I've just been made aware of comments on this bugtrack that deserve some response, apologies for the delay.
As brief as I can make it: in December of 2005 I took on the role of Independent Auditor of CAcert's Certificate Authority. This task is guided by David Ross's Criteria ("DRC"), mentioned earlier by David Ross himself, and earlier pre-approved by Mozilla for their purposes.
Around June 2006, the audit process discovered severe imbalances in the contractual relationships between CAcert, its user community, Assurers and the world at large, as found by DRC. In October 2006, server issues arose which caused a difficult migration, still on-going. These also do not meet DRC.
Although these combined issues are being worked through, they caused CAcert to realise that it had outgrown its ability to manage as a tight, developer-driven open source organisation. Although the community is very keen, and the product is very valuable to its users, it now needs a stronger and broader management structure.
In December 2006, I therefore suspended the audit until that could be put in place to handle the difficult international responsibilities. Until resolved, CAcert is formally not seeking access to root lists, partnerships or the like, at the current time. This includes the list managed by Mozilla Foundation. Until CAcert's many tasks are complete, everything is in a "holding pattern" including any addition to browsers.
I can observe, but not promise, current progress: Members of the Association and others are working to meet the requirement for management over the coming months. Work is ongoing on the server transition, and announcements may happen on that.
For all CAcert's promise, the audit remains a serious process and a difficult hurdle. It works to a criteria that is objective and repeatable. The result is intended to be reliable and comparable. We may have our comments to make outside, but inside, we have a defined task. It is up to CAcert to do what is required, and they will get there in due course, or choose another path.
In the meantime, there is no point in pressuring Mozilla on the issue. Better if you wish to help, join CAcert as a user and contribute on their large task list.
Ian Grigg, Independent Auditor for CAcert's CA.
As an alternative I can suggest you StartSSL.com - but you'll need to pay one-time verification fee (was $49 before) to get a web-server certificate.
Or get a cheap Positive SSL / Rapid SSL at around $20 / year.
You can go with free self-signed, but users will get a warning. You can warn them it is ok before, but not everyone will trust it.
The base tier of StartSSL is free, no need to pay anything. But apparently it's non-commercial use only, and of course no wildcard subdomain certs.
so expensive in gdady!
I may use the free StartSSL one for one non-commercial domain.
Still will need a cheap ssl for commercial sites.
Thanks for the info!
gddy US48.99 with discount coupon as right now
Afair they were providing only email S/MIME valid certs with automated email validation. If you need a website cert you'll need to pass additional verification. But I might be wrong on that one, don't remember for sure.
EDIT: Checked that before posting, seems like they allow free web cert (non-commerce) with basic domain/email automated validation for free. For $59.90 you can have a personal validation which will allow you unlimited number of certs, including wildcard certs.
So @gattytto try them, that should suit your needs well.
After trying to get into StartSSL to get the free one, I get to the point where they make my browser generate a new certificate with my identity, then enterying to auth.startssl gives a browser error and that's as far as I got
"SSL connection error" tried with both chrome and IE
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error code: ERR_SSL_PROTOCOL_ERROR
After registering you should have a generated cert/key pair added to your browser certificate storage. That certificate are used to authenticate on auth.startssl.com and login into your private area. Seems like you didn't done this step completely.
Here is a step-by-step guide how to register there: https://konklone.com/post/switch-to-https-now-for-free
I was even able to export the certificate using chrome, I've got the file in my desktop.. Chrome will also ask me if I want to use that certificate since it's added to the certs I have available..
:O it just worked re-importing the certificate file to my browser.. weirrrrddddd
I don't think I saw any message stating that the free certificate can only be used for non-profit so far..
If anyone has a screencap or copy/paste I'll be muito obrigado
@gattytto http://www.startssl.com/?app=39
They also have a PDF policy document here: http://www.startssl.com/?app=26
certificates, whereas the later is restricted in its usage for
non-commercial purpose only. Subscribers MUST upgrade to Class
2 or higher level for any domain and site of commercial nature,
when using high-profile brands and names or if involved in
obtaining or relaying sensitive information such as health
records, financial details, personal information etc.
oh you're so right! thanks a lot, I was CTRL+F'ing "profit" and not "commercial" THANKS!
https://www.gogetssl.com/