NxFifteen’s Certificate Authority
The last time I was writing this page was almost three years ago, so thought it was part time it got revamped
The web can be a dangerous place if you don’t take care of your information, password especially, the prime example in recent memory was FireSheep which was able to hijack your connection to Facebook, among others. This was made possible by the fact your connection was over an encrypted channel, such as https. Non encrypted traffic can be views, man in the middle attacks, by any means not just websites. With this in mind I wanted to secure all my services web and email.
In my own option self signed certificates look bad and unless you take not of the serial numbers provide no means of detecting if there genuine or forged so you need someone else to sign them, someone you and your computer trust. This is where certificate authority’s come in. They sign a certificate to confirm….well something and that’s the problem.
Some of the good ones will run checks and verify the person or domains identify. This can be as much as official id checking and bank accounts to sending an email with a link. Hence the cost of these certificates goes from pennies to thousands a year and your computer will trust both equally.
My original reason for creating my own authority was just that, the cost. Even paying pennies for something I was capable of my self was too much, and when I added up the number of domains I wanted to protect it was far too much. Since then costs have come down and the number of domains has reduced, but I’m still running the authority. Partly the cost is still to high when i do it myself but mostly its a case of policy.
For a certificate that does any real id checking the cost spirals and I feel a certificate signed when no checking has been done is worse than self signed, its practically the same thing – granted it’d stop you getting a browser error message but that’s about all – and when you view one of my sites I want you to know I trust it.
I’m going to create guidance on how I manage it and store it for those interested. I only sign keys for NxFIFTEEN and Painless-Computing, so a signing policy is less important since I’m not signing keys for anyone else.
Bellow is my certificate root authority. Keys are signed by an intermediate certificate but you only have to install the root certificate. The keys all have SHA-256 hashes so you can verify the download, but to really be sure about the file you should verify the PGP signature as well.
I also keep an active Certificate Revocation List for each at ssl.research.nxfifteen.me.uk but most browsers don’t bother checking these anyway.
Download The Certificates
|Certificate Authority Downloads|
|SHA-256 Hash: 648da13feac3f1c3aad98cf64f1776719e6d5d148bd2af0c5387083d7d9836ed|
|SHA-256 Hash: 2e4dde5fadbb3335c213f0889e6a04eb982177fef801e1b6f3b32e059ca9540a|