Comments on: OpenSUSE Linux: Creating Self-Signed SSL Certificates

By: OpenSUSE Linux: Creating Self-Signed SSL Certificates « Mr.Novell’s Blog

Thu, 18 Jun 2009 17:13:48 +0000

[...] Article By: SuseBlog [...]

By: Scott Morris

Scott Morris — Fri, 12 Jun 2009 04:26:17 +0000

Vavai,
Glad it was helpful. Thanks for stopping by!

By: Scott Morris

Scott Morris — Fri, 12 Jun 2009 04:25:34 +0000

Peter,
Thank you. Glad you found it helpful. And yeah, I did try to make it non-distro-specific where I could. Thanks for stopping by.

By: Peter Collard

Peter Collard — Wed, 10 Jun 2009 10:13:52 +0000

Have tried Yast, but as I hadn’t a clue what I was trying to do, I wasn’t very happy using it. Having been thru this process with its explanations I now feel a lot more confident knowing that I have something that will work on other distros as well as a suse system in single user mode for recovery. Next time I’ll probably use Yast to save getting my notes out, but will at least understand what its trying to do. Thanks for the excellent posting.

By: Scott Morris

Scott Morris — Mon, 01 Jun 2009 04:29:15 +0000

Absolutely not ideal for all situations, to be sure. Especially for customers with credit card data, as you mentioned. Absolutely great point. However, when you need quick and dirty encryption between a satellite office and your intranet, it will work in a pinch. Thanks for the message and thoughts. Great points. Thanks for stopping by.

By: Scott

Scott — Sun, 31 May 2009 21:16:57 +0000

I never cease to be amazed that we build a GUI Interface for everything, and we want people to use it, and yet when we get down to teaching others, we use the console prompt.
Dont get me wrong, I love my console prompt for a lot of things but we do have a
CA Manager that is an optional install in Yast -
which takes you through managing all your self signed certificates and pars etc.

Why dont we teach people how to use the CA Manager in Yast.

One other thing that I thought I would mention is , if you use a self signed SSL Server/Client certificate, every user will be asked to ‘TRUST and ACCEPT’ a certificate of ‘unknown origin who’s validity cannot be obtained’…well something like that warning.

Not every one is going to trust your self signed SSL client part of the SSL Server Certificate – Some people will only accept a Server/Client certificate that is validated by a CA.

The other issue with self Signed SSL Server/Client Certificates is, once issued, I do not know of any mechanism to globally revoke them.

The advantage with a CA issued certificate is that you have the authority to instruct your CA to revoke the certificate should it start to be mischievously used.

Dont get me wrong, self signed SSL Server/Client certificates have their place, but personally I would have an issue when anyone asked me for me credit card number by an untrusted certificate that was not issued by a CA, mostly because anyone can create the pair, but more importantly the pair cannot be revoked.

Oh! I look forward to a lesson on how to use the CA Manager in Yast, particularly as we can then cover the hierarchical structure of certificates and their pairs with the graphic illustration and graphic tools.

I must say, all credit to you for tackling a hugely complex subject so very well and I look forward to a tutorial on S/MIME X.509 Email certificate creation and use.

Well Done!!!!!!

By: Vavai

Vavai — Fri, 22 May 2009 01:23:02 +0000

Found it very useful while setting up openLDAP with TLS/SSL which need self-sign certificate.

Thank you.

By: Scott Morris

Scott Morris — Wed, 10 Sep 2008 17:23:23 +0000

dude,
Thank you, glad I could help your teacher. Have a good one and thanks for stopping by.

By: dude

dude — Wed, 10 Sep 2008 09:48:07 +0000

Nice Tutorial mate,

Saved my TAFE teacher an entire lessons prep!!

no but seriously, easy to follow and very quick to set up

By: Bernard

Bernard — Fri, 15 Aug 2008 00:03:58 +0000

Thanks for that step by step tutorial. Worked perfectly. I hadn’t used SuSE for about 7 years (SuSE 5.4 or 5.6 was the first Linux distro I ever got installed). I recently returned to using OpenSuSE 10.3 and have found it very good indeed. I have plans to use SuSE in a deployment of hundreds of servers.

By: Scott Morris

Scott Morris — Tue, 24 Jun 2008 15:03:21 +0000

Robb,
Glad to help out! Have a good one and thanks for stopping by.

By: Robb

Robb — Tue, 24 Jun 2008 04:55:23 +0000

Great tutorial. I am very green to all this and was able to follow it with ease. Thank you.

By: Michal Zugec

Michal Zugec — Mon, 09 Jun 2008 20:36:35 +0000

And for those who likes UI (and YaST) there are yast2-ca-management and yast2-http-server modules