(community.letsencrypt.org)

314 points Bogdanp | 4 comments | 25 Jun 25 16:21 UTC | HN request time: 0.265s | source

Show context

msgodel ◴[25 Jun 25 19:15 UTC] No.44380911[source]▶

>>44379034 (OP) #

This is incredibly dumb. The three way handshake and initial key exchange is your certificate.

replies(2): >>44381814 #>>44382226 #

1. cpburns2009 ◴[25 Jun 25 21:03 UTC] No.44381814[source]▶

>>44380911 #

That would be fine if browsers didn't throw up giant warning signs when using self-signed certificates.

replies(2): >>44382565 #>>44383358 #

2. msgodel ◴[25 Jun 25 22:56 UTC] No.44382565[source]▶

>>44381814 (TP) #

That sounds like a defect in the browser design.

Or maybe it's because you actually want an identity to verify (which an IP address is not.)

3. nijave ◴[26 Jun 25 01:16 UTC] No.44383358[source]▶

>>44381814 (TP) #

Usually you can just import the leaf self signed cert as a CA in your OS trust store and the problem goes away (assuming it has an IP SAN). Slightly tedious but you can issue the certs with long validity

replies(1): >>44389987 #

4. cpburns2009 ◴[26 Jun 25 18:29 UTC] No.44389987[source]▶

>>44383358 #

Chrome provides no simple way to trust a self-signed cert. When you go to certificate details, the only option under the "Details" tab is "Export...". The only work around is to click "Advanced" and "Proceed to example.com (unsafe)". Chrome will then helpfully suffer amnesia in 1-3 days and completely forget you want to allow an exception for the certificate.

↑

Getting ready to issue IP address certificates