1 |
On Tue, 2021-06-01 at 15:25 -0600, Grant Taylor wrote: |
2 |
> |
3 |
> The proper way configure certificates is: |
4 |
> |
5 |
> 1) Create a key on the local server. |
6 |
> 2) Create a Certificate Signing Request (a.k.a. CSR) which references, |
7 |
> but does not include, the key. |
8 |
> 3) As a CA to sign the CSR. |
9 |
> 4) Use the certificate from the CA. |
10 |
> |
11 |
> The important thing is that the key, which is integral to the encryption |
12 |
> *NEVER* *LEAVES* *YOUR* *CONTROL*! |
13 |
> |
14 |
|
15 |
*Any* CA can just generate a new key and sign the corresponding |
16 |
certificate. All browsers will treat their fake certificate |
17 |
corresponding to the fake key on their fake web server as completely |
18 |
legitimate. The "real" original key that you generated has no special |
19 |
technical properties that distinguish it. |