Re: DCM cert for Apache settings

On 3/8/17, 10:28 AM, Nathan Andelin wrote:

That's the part that confuses me. If a browser is connecting to abc.com,
why not trust a certificate from the same? What make GoDaddy more
trustworthy?

And just how does the browser KNOW it's REALLY connecting to the GENUINE "abc.com"?

Certificates are based on asymmetrical encryption protocols, i.e., those in which there are two keys, a public key and a private key. Information encrypted with the private key can only be decrypted with the public key, and information encrypted with the public key can only be decrypted with the private key. This allows the holder of the private key to verify his/her/its identity to anybody with access to the public key.

CAs have a vested business interest in being trusted, and so they not only take steps to verify the identities of their customers, but also to verify each other's honesty.

What about folks who only want encryption?

That's what self-signed certificates are for. For example, if you want to host secured TN5250 sessions, but (as is usually the case) there is little or no need for the terminal emulator and the host to verify each other's identity (since one does have to sign on), all you need to do is plug a self-signed certificate into the Telnet server, and use a TN5250 client that doesn't require authentication. Or if you're hosting an internal web server that's only used by your own employees, you can plug a self-signed certificate into your web server. Then your employees can, the first time they connect with any given browser, tell their browsers to accept your self-signed certificate permanently, and you're in business.


--
JHHL