On Tue, 13 Sep 2011 16:29:30 +0200, Tei said:
He, I just want to self-sign my CERT's and remove the ugly warning that browsers shows. I don't want to pay 1000$ a year, or 1$ a year for that. I
The warning is there for a *reason* - namely that if you have a self-signed cert, a first time visitor has *zero* way to verify it's *your* self-signed cert and not some hijacker's self-signed cert.
just don't want to use cleartext for internet data transfer. HTTP is like telnet, and HTTPS is like ssh. But with ssh is just can connect, with browsers theres this ugly warning and "fuck you, self-signed certificate" from the browsers. Please make the pain stop!.
If you use SSH to connect, and either ignore the "host key has changed" or "authenticity can't be established, continue connecting?" messages, you get what you deserve - those are the *exact* same issues that your browser warns about self-signed certs. And if you *don't* ignore them on SSH - why do you want to ignore them on SSL? Note that there's another big difference between SSH and SSL - the number of people who are allowed to SSH to a given machine is (a) usually small and (b) pre-identified up front. So if Fred gets an "unknown host key" while SSH'ing to the server you just set up, that's probably not a big issue because you presumably know who Fred is and just created an account for him, so you can supply him with the footprint of the SSH host key to double-verify. That does *not* scale to Internet-facing web services. Of course, if you have a *private* *internal* webserver with limited users, you're free to use a self-signed cert and use your browser's handy "Add security exemption" dialog and check "Permanent".