[Discuss] Delivering mail to folders

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: jabr at gapps.blu.org [mailto:jabr at gapps.blu.org] On Behalf Of John
> Abreau
> 
> Apparently I've been doing it "wrong" all these years. I've always created my
> own CA and signed my certificates with it, and I thought that's what the term
> "self-signed" meant.

That's the opposite of "doing it wrong."

If you create a CA, for example by a process like this: http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php in which you have a CA root private key, which signs itself as a CA, and you keep that directory full of files sitting around someplace secure, and the root private key is used only for signing certs (is not used directly as a website cert), and you generate a different private key for each website cert, and then you install the CA root cert (with public key) into the trusted root store of your clients... Then you've done it exactly right. (Assuming proper implementation choices, such as key length and stuff like that). But this process is complex enough that very few people do it, especially when you can get free certs from a publicly recognized CA.

When people say they have a webserver with a self-signed cert, in virtually all cases, that means they followed a process like this (the top result I got by searching for "generate self signed certificate"): http://www.akadia.com/services/ssh_test_certificate.html  In this process, you generate a key, and use that key to sign a certificate of itself. There was never any CA.

A good clue to look for is whether or not the "openssl ca" command was used, and if the CA root cert is separate and distinct from the server cert. The CA root private key should never exist on any of the servers. It should be air-gapped, encrypted, kept in a bank vault.