| 1 |
On Tue, 2021-06-01 at 15:25 -0600, Grant Taylor wrote: |
| 2 |
> |
| 3 |
> The proper way configure certificates is: |
| 4 |
> |
| 5 |
> 1) Create a key on the local server. |
| 6 |
> 2) Create a Certificate Signing Request (a.k.a. CSR) which references, |
| 7 |
> but does not include, the key. |
| 8 |
> 3) As a CA to sign the CSR. |
| 9 |
> 4) Use the certificate from the CA. |
| 10 |
> |
| 11 |
> The important thing is that the key, which is integral to the encryption |
| 12 |
> *NEVER* *LEAVES* *YOUR* *CONTROL*! |
| 13 |
> |
| 14 |
|
| 15 |
*Any* CA can just generate a new key and sign the corresponding |
| 16 |
certificate. All browsers will treat their fake certificate |
| 17 |
corresponding to the fake key on their fake web server as completely |
| 18 |
legitimate. The "real" original key that you generated has no special |
| 19 |
technical properties that distinguish it. |
Archives