Follow us on Twitter and Facebook | Login

/// Certificate Authority

Certificate Authority
Posted: February 18, 2013 Last Updated: April 07, 2013
Image Credit: National Security by abominablewhelk cc

/// NxFifteen's Certificate Authority

The last time I was writing this page was almost three years ago, so thought it was part time it got revamped

The web can be a dangerous place if you don't take care of your information, password especially, the prime example in recent memory was FireSheep which was able to hijack your connection to Facebook, among others. This was made possible by the fact your connection was over an encrypted channel, such as https. Non encrypted traffic can be views, man in the middle attacks, by any means not just websites. With this in mind I wanted to secure all my services web and email.

In my own option self signed certificates look bad and unless you take not of the serial numbers provide no means of detecting if there genuine or forged so you need someone else to sign them, someone you and your computer trust. This is where certificate authority's come in. They sign a certificate to confirm....well something and that's the problem.

Some of the good ones will run checks and verify the person or domains identify. This can be as much as official id checking and bank accounts to sending an email with a link. Hence the cost of these certificates goes from pennies to thousands a year and your computer will trust both equally.

My original reason for creating my own authority was just that, the cost. Even paying pennies for something I was capable of my self was too much, and when I added up the number of domains I wanted to protect it was far too much. Since then costs have come down and the number of domains has reduced, but I'm still running the authority. Partly the cost is still to high when i do it myself but mostly its a case of policy.

For a certificate that does any real id checking the cost spirals and I feel a certificate signed when no checking has been done is worse than self signed, its practically the same thing - granted it'd stop you getting a cert yo Facebook but that's about all - and when you view one of my sites I want you to know I trust it.

I'm going to create guidance on how I manage it and store it for those interested. I'll also publish information on what keys I sign, and how I verify the individual when required.

Bellow are my three certificates Root, Domain and Infrastructure but in most cases you'll only need the first two. I also keep an active Certificate Revocation List for each at ssl.research.nxfifteen.me.uk

/// Download The Certificates

Certificate AuthoritySub AuthoritiesDownladGPG Signature
Root CertifcatePEMSignature
DomainsPEMSignature
InfrastructurePEMSignature
Git Repository
SSH
Description Downloads Date Links
HTTPS Everywhere Profile application/xml (1.15 KB) 2013-Feb-18 2

/// Main menu

/// Related

My GPG Keys
My Certificate/Key Signing Policy

/// My Picks

Koolertron Ultra Slim Keyboard, Case & Stand for the Google NEXUS 7
Soul Music by Terry Pratchett

/// IRC Logs

/// My Twitter Feed

Find out what's happening, right now, with the people and organizations you care about.

Visit link
Pre talk jitters :-/ http://t.co/U1hlMyyxic
Copyright © 2013 Stuart McCulloch Anderson
Privacy Policy | Feedback | Certificate Authority
Powered by Varnish Published through Drupal Running on Ubuntu
An NxFifteen Project hosted by NxFifteen, part of NxFifteen Research.