SSL Certificates, and browser verification

F

Frankie

I just read the following on the Web site of a company selling SSL
certificates:

<< When the SSL handshake occurs, the browser verifies that the server
certificate was issued by a trusted CA. If the CA is not trusted, a warning
will appear. >>

This implies that browsers have some way to verify that a server certificate
was issued by a trusted certificate authority (CA).

My question:
I have my own Windows Server 2003 server that I can set up as a certificate
authority (CA) - and I can create my own server certificates for use on a
Web Server on the Internet. If I do this - then will browsers conclude that
the CA is not trusted because I'm not on some list of CAs that the browsers
can verify against? Basically I just want to know if I can create my own SSL
certificate for use on the Internet or if I really need to buy one from some
well-known company.

Thanks!
 
I

Ian

Frankie said:
I just read the following on the Web site of a company selling SSL
certificates:

<< When the SSL handshake occurs, the browser verifies that the server
certificate was issued by a trusted CA. If the CA is not trusted, a warning
will appear. >>

This implies that browsers have some way to verify that a server certificate
was issued by a trusted certificate authority (CA).

My question:
I have my own Windows Server 2003 server that I can set up as a certificate
authority (CA) - and I can create my own server certificates for use on a
Web Server on the Internet. If I do this - then will browsers conclude that
the CA is not trusted because I'm not on some list of CAs that the browsers
can verify against? Basically I just want to know if I can create my own SSL
certificate for use on the Internet or if I really need to buy one from some
well-known company.

Thanks!
Click to expand...
Using your own CA will result in your clients receiving an error
advising them that they certificiate has been issued by a CA they have
chosen not to trust - They will have the option to install the
certificate which will stop the error message from appearing.

Ian
 
L

Leythos

I have my own Windows Server 2003 server that I can set up as a certificate
authority (CA) - and I can create my own server certificates for use on a
Web Server on the Internet. If I do this - then will browsers conclude that
the CA is not trusted because I'm not on some list of CAs that the browsers
can verify against? Basically I just want to know if I can create my own SSL
certificate for use on the Internet or if I really need to buy one from some
well-known company.
Click to expand...

You can have a "Self signed" certificate and it will work just as well
as any purchased one from a TCA, but, it will always present a warning
to the visitor that your certificate is not a trusted authority - unless
you include a script on a web-page that lets them install it properly
and make your cert a trusted one.

When it comes to OWA and such, we use self-signed ones, when it comes to
anything with the public or partners we use a cert from a TCA.
 
S

Sparda

I just read the following on the Web site of a company selling
SSL
certificates:

<< When the SSL handshake occurs, the browser verifies that
the server
certificate was issued by a trusted CA. If the CA is not
trusted, a warning
will appear. >>

This implies that browsers have some way to verify that a
server certificate
was issued by a trusted certificate authority (CA).

My question:
I have my own Windows Server 2003 server that I can set up as
a certificate
authority (CA) - and I can create my own server certificates
for use on a
Web Server on the Internet. If I do this - then will browsers
conclude that
the CA is not trusted because I'm not on some list of CAs that
the browsers
can verify against? Basically I just want to know if I can
create my own SSL
certificate for use on the Internet or if I really need to buy
one from some
well-known company.

Thanks!
Click to expand...

Correct, the browser will conclude that the certificate is not trusted
becasue it has not been sighned by a 3rd party trusted company, such
as VeriSign. IE verifies a certificate agenst a list of certificats
(in the windows certificate msc) but Firefox has a big list of trusted
companies and just checks the certificate genst that list. You can
view this list in Firefox by going Tools (Edit in Linux) > Options >
Advnaced > Certificates > Manage Certificates > Authorities, or if you
want to view the ones that come with windows Run "certmgr.msc" >
Trusted Root Certification > Certificates.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SSL Client certificate in IIS 6.0. Different root CAs? 2
Registering as a Certificate Authority? 1
Bogus security alert 6
HELP ME: SIGN ACTIVEX 1
Persistent Java-related message 4
XP Pro Can't get Domain Certificate.... 1
Fraudulent security certificates !!!!! 1
CA Problems 6

Top