Как доверять самозаверяющему сертификату, не доверяя ЦС?

767
SeMeKh

Итак, я создал rootCA и подписал сертификат для * .a.com, как я могу доверять полученному сертификату в Firefox / Chrome, не доверяя ЦС напрямую?

Обратите внимание, что добавления исключения (один раз) в этом случае недостаточно, поскольку существует несколько доменов.

1

2 ответа на вопрос

0
mtak

Because the certificate is not issued by a trusted CA you will get the error for every domain the wildcard certificate applies to. Firefox stores certificate exceptions with the domain as the key, not the certificate so it will ask you to make an exception for every domain (even with a wildcard certificate).

If you don't want to trust the CA directly you can ask the CA owner to create an intermediate CA certificate for you, which you can use to issue certificates. You can then add the intermediate CA in your browser. (or you could just create a new CA)

Является ли это ответом на ваш вопрос? mtak 9 лет назад 0
0
SeMeKh

There are two possible approaches:

  1. Explicitly add the certificate to the browser certificate manager. Since Chrome and Firefox use NSS as their SSL library, this could be done using the following command (for Chrome):

    certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n SomeCertificateName -i /path/to/certificate

  2. Issue a subCA certificate limited by the nameConstraint extension, so that the subCA can only issue certificates with a.com suffix. Now trust this subCA only. This article explains this approach.

Похожие вопросы