Hey LQ,

I'd like to know what the differences, pros and cons are for having a purchased SSL, signed from a vendor such as Comodo versus a non signed SSL.

Also curious how one acquires a non-signed SSL.

If signed it means that the signing authority has taken some steps to verify that you are who you say and that the cert belongs to you.

Unsigned, the certificate is exactly the same in function but without extensive verification of the owner.

If you want to do business online where credit cards are involved, you need a signed cert from an authority.

You can sign your own certs as well and then you upload you certificate authority public key to a browser and it will still work and act the same since the browser will then recognize the certificate as a true certificate. Without the CA public key, you will be warned vy the browser before connecting to the self signed secure site.

1 members found this post helpful.

That's actually what I figured, thank you for Clarifying.

Do you know the steps I would take to create my own certificate and how I would install that into a webserver? I've currently got a private VPS Xen box and I would like to secure all of my web traffic. Also curious if it's possible to secure an entire domain name with one certificate (all subdomains included)

Just look up creating an ssl certificate and for your own CA something like ssl CA how to.

You don't have to worry about the CA if it is just your personal stuff. If you are with a company and vemployees connect then a CA may be warranted.

You can generate a wildcard certificate for the whole thing. Or seeing that you know how it is setup, just use a pre existing one. The browser will wqrn about a wrong dolain, but it will still encrypt the traffic.

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key.

If you want a certificate that browsers will recognize, try StartSSL. It is free.

It's mostly a scam, actually.

What you're trying to avoid is a message from the user's browser that "this certificate is un-trusted." (Which simply means that the certificate was not signed by one of a list of CAs that the browser was pre-programmed to "trust.")

For internal ("intra-net" ...) web applications, the customary solution to this problem is to define a company-wide CA (which you do not have to pay anyone any money to do ...), then pre-program all of the company's computers to accept that authority. All of the company's internal applications are then signed by that authority.

Cryptographically speaking, all certificates are the same. All of them will protect your communications equally well.

For external applications, you have little choice but to "suck it up," but, as noted, there are "recognized CAs" out there who do not charge what the big-boys do. Any one of them will do.

The idea of the CA system was that the Certifying Authorities really would know whereof they spoke. But, the actual economics of the situation is that they (of course) don't give a damn. Therefore, seek-out the one who charges the least amount of money, no matter who you wind up buying from.

Well, yes, the whole CA system is, or at least it has become one. It was supposed to address the paradoxical question of trust. The problem is that trust has been violated. Like any form of trust, once it is lost it is hard, if not impossible, to ever recover. To that end, I "trust" a self signed certificate more than I would a commercial one. That being said, some people still prefer to see the padlock without having to add an exception.

In my opinion, if all of the govt spying issues weren't bad enough, the recent trend where so called "security" apparatuses are being used to proxy SSL traffic while a CA cert is being pushed to people's machines to masquerade the deception has really caused me to believe this.

Yeah, GPG's "web of trust" is a much better design. We can be quite certain that the root private-keys associated with all the major signers are held by folks like NSA, enabling them to read anything. (And they seem to be obsessed with the idea of "reading everything.") However, at least the traffic that's flowing across the wire is encrypted by some non-trivial means, which is a great deal more than you can say for e-mail.

SSL with certificates also gives a pragmatic method for verification and control. Most companies that I've worked with have set up their own internal certificate-authority and configure their machines to accept (and in some cases, to require) it. From this, they often set up several other subordinate CAs. This actually is a strong system, as it is designed to be, because you can't forge or even spoof one of their certificates. They're not linked to any other, commercial, authority.