Private root certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Private root certificate

stern0m1
What are the security vulnerabilities with trusting your own private root certificate?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Private root certificate

Antony Stone
On Tuesday 10 October 2017 at 17:37:44, B Hirsch wrote:

> What are the security vulnerabilities with trusting your own private root
> certificate?

If *you* created the certificate and *you* control the CA, so you *know* what
certificates it has signed, I don't see that there are any vulnerabilities.

A browser will warn you that the certificate is untrusted, because it cann't
verify the CA from its list of built-in CAs, but once you've added your own CA
certificate to the browser, all your own signed certificates will be trusted.

The only vulnerability I can imagine is if you install the CA certificate to a
bunch of browsers, and then someone manages to get at your CA and sign a
certificate you don't want them to.

In this case protecting the CA is the important part (as is the case for all
CAs).


Antony.

--
<flopsie> yes, but this is #lbw, we don't do normal

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users