You are not logged in.
- Topics: Active | Unanswered
#1 2018-09-27 06:47:11
- VirtualTorus
- Member
- Registered: 2018-04-06
- Posts: 21
[SOLVED] Purpose of a self-signed OpenSSL certificate?
Hi everyone,
I only have a high-level understanding of networking and security associated with it, so I do not know where or what to search to find the appropriate forum or literature for this.
To give context, I am setting up a postfix server on my LAN to store cron/administration-related mail from all my LAN computers. Each 'client' computer in the LAN will use a MTA to send mail as some user in that server, and (correct me if this doesn't make sense), I would like that communication between the client and the server to be encrypted using TLS.
Since this is all constrained to being in my LAN, is it fine to use a self-signed certificate for TLS? Are there other situations where one would use a self-signed certificate? Would you recommend using a CA (I think it doesn't make sense to use one in this case, but maybe I'm wrong)?
Thanks in advance.
Last edited by VirtualTorus (2018-09-27 17:02:48)
Offline
#2 2018-09-27 07:17:39
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
The problem with a self-signed certificate is that it is susceptible to a man-in-the-middle attack, by impersonating your mailserver, and intercepting the emails to your mailserver.
Since you'll be creating a Certificate Authority certificate as part of the self-signed certificate creation process anyway, it would be better to configure your mail clients to be checking that the CA is trusted, i.e. that the chain of trust is successful.
Offline
#3 2018-09-27 07:22:02
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
brebs, of course you have to set up a chain of trust. It is not necessary to use a CA, though. You can directly copy the public part of the certificate to your mail clients (e.g. with a flash drive) and trust that instead of adding a CA to trust.
A CA is more future proof, though. If you want to add e.g. a home server or NAS with web interface and you have trusted your own CA, then it is easy to create a new certificate without having to change the configuration on the clients.
Self-Signed certificates are often used as the client certificate for SSH and SSL connections.
Last edited by progandy (2018-09-27 07:28:32)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#4 2018-09-27 07:45:17
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
Yeah, the simplest method ("option 1") doesn't even need a CA cert created.
SSH certificates are slightly different, in that they do *not* usually involve a CA certificate, whereas SSL (for e.g. websites) usually do.
The CA certificate of a public-facing mailserver is usually not even checked.
Offline
#5 2018-09-27 13:47:39
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,523
- Website
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
Given the existence of services like LetsEncrypt, I find self-signed certificates to be completely useless and far more trouble than they are worth. When CA certs used to cost an arm and a leg and were a hassle to get, a self-signed cert could make sense for some simple use cases, but now that "real" CA certs are free and easy to get, why bother with a self signed cert?
EDIT: for clarity the above isn't a rhetorical question - I don't have great expertise on this topic, but it really does confuse me why anyone would still use a self signed cert. If there are reasons to prefer a self signed cert rather than one from LetsEncrypt, I'd be curious to know what those reasons were.
(edit s/hyptothetical/rhetorical/)
Last edited by Trilby (2018-09-28 01:43:10)
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#6 2018-09-27 14:40:17
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
For LetsEncrypt you need to register a public domain. For use in an internal network you'd then have to create a dummy endpoint for the domain that is used to receive certificates and then set up your own dns server to provide the internal ips for this domain.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#7 2018-09-27 14:42:46
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,976
- Website
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
@Trilby
Have you ever tried using Let'sEncrypt for setting up a CA for a VPN infrastructure in a company?
I think that this would be a completely useless enterprise.
I maintain several CAs in our company for intranets and management VPNs for our digital signage systems (for remote administration).
So I'd consider dismissing self-signed certificates as completely useless in the face of Let'sEncrypt as short-sighted.
However, I'd agree that it's useless for public HTTP and / or SMTPS Servers.
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
#8 2018-09-27 16:28:38
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
why bother with a self signed cert?
To remain in control of the certs, their chain of trust and their longevity, rather than having to trust a CA who is not trustworthy 
Offline
#9 2018-09-27 17:02:30
- VirtualTorus
- Member
- Registered: 2018-04-06
- Posts: 21
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
It seems I have several options available!
Thanks again everyone, I'm going to mark this thread as solved as the responses/discussion has clarified and addressed my questions.
Offline
#10 2018-09-27 20:33:33
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
Trilby wrote:why bother with a self signed cert?
To remain in control of the certs, their chain of trust and their longevity, rather than having to trust a CA who is not trustworthy
According to your own link:
According to Kolochenko, the fact that web browsers mark HTTPS sites as trusted is actually a bigger issue in this regard, because they encourage users to blindly trust the website without any justifiable reason. Because of that, he says, it’s rather difficult to measure whose carelessness contributed more to the increase in phishing campaigns.
I thoroughly agree, Lets Encrypt is not even slightly to blame for this.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#11 2018-09-27 21:19:35
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
<Devs can have their own crazy posts deleted to appear sensible, so I'll delete this too>
Last edited by brebs (2018-10-30 06:29:40)
Offline
#12 2018-09-27 21:35:59
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,424
- Website
Re: [SOLVED] Purpose of a self-signed OpenSSL certificate?
brebs, I am sure you could make your point without resorting to personal attacks, the fact that you have chosen to, and after already being warned about this, crosses the line:
https://wiki.archlinux.org/index.php/Co … ther_users
https://wiki.archlinux.org/index.php/Co … o_trolling
Offline