From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 93D7B1382C5 for ; Tue, 1 Jun 2021 21:38:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C3084E0844; Tue, 1 Jun 2021 21:38:07 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0FDE7E0798 for ; Tue, 1 Jun 2021 21:38:07 +0000 (UTC) Message-ID: Subject: Re: [gentoo-user] app-misc/ca-certificates From: Michael Orlitzky To: gentoo-user@lists.gentoo.org Date: Tue, 01 Jun 2021 17:38:02 -0400 In-Reply-To: <1cc069e9-b708-c994-ca93-dc0a2d77f8f9@spamtrap.tnetconsulting.net> References: <20210529030839.123d8526@melika.host77.tld> <5480288.DvuYhMxLoT@iris> <61db8745-dbb4-9c7e-80a9-6725905178c4@iinet.net.au> <1cc069e9-b708-c994-ca93-dc0a2d77f8f9@spamtrap.tnetconsulting.net> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.40.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Archives-Salt: 4f839210-276d-46e7-88d9-7a25004b1edf X-Archives-Hash: 67cfc01186fca2083b9c8bb5e25c2d5b On Tue, 2021-06-01 at 15:25 -0600, Grant Taylor wrote: > > The proper way configure certificates is: > > 1) Create a key on the local server. > 2) Create a Certificate Signing Request (a.k.a. CSR) which references, > but does not include, the key. > 3) As a CA to sign the CSR. > 4) Use the certificate from the CA. > > The important thing is that the key, which is integral to the encryption > *NEVER* *LEAVES* *YOUR* *CONTROL*! > *Any* CA can just generate a new key and sign the corresponding certificate. All browsers will treat their fake certificate corresponding to the fake key on their fake web server as completely legitimate. The "real" original key that you generated has no special technical properties that distinguish it.