[time-nuts] Febo.com SSL certificate expired

Magnus Danielson magnus at rubidium.dyndns.org
Fri Oct 15 23:00:25 UTC 2010


On 10/16/2010 12:08 AM, Bob Camp wrote:
> Hi
>
> It's a crazy world when it comes to self signed certs.
>
> You have at least 5 OS's you need to consider (MS, Linux/FBSD, OS-X, I-OS, Android). You need to think about both browsers and mail clients. Each of those come from a half dozen sources on each platform. Then you have configuration options on each. That's a lot of combinations.
>
> Each combo seems to have a different idea of what not to do when they see a self signed cert. If you want to be able to handle all of them, even "real" certs may have issues. There are indeed several common combo's that are a major pain with a self signed cert.
>
> No, I didn't write any of the code with the problems in it. I also don't want to get into the details of what and where. This really isn't the forum for that sort of thing. I'm not out to bash any particular solution, only to point out that there are indeed issues.

Do handle part of the mess, we have setup our local root cert at the 
computer club, and then sign our server certs to that. I did a major 
overhaul on the infrastructure for that. It is still not "real" safety 
routines, but ah well. We provide a cert download which quickly solves 
the cert issue with most browser.

Seems to work for our myriad of server and client OSes and clients.

There is various ways to get "real" root certs, but depending on degree 
of uhm... safety... it may be argued of their capabilities. There is 
efforts to build a chain of trust for a stable free root cert, but it is 
so far nog included in any major browsers.

Essentially it's a mess. I'm only scratched the surface here.

Cheers,
Magnus



More information about the time-nuts mailing list