# [Solved]Need help setting up a SSL Certificate

## jordanwb

I'm following this how-to: http://gentoo-wiki.com/Apache_Modules_mod_ssl for setting up HTTPS. Now I don't want to use a self signed certificate (any reasons why it wouldn't be a problem?) and the howto suggested CaCert to create a certificate. Now I'm adding a domain to my CaCert account with the domain of 192.168.1.3 and 99.224.95.32 but this is where the problem occurs, I need to supply an authority email address and I can't give a 192.168.1.3 based or 99.224.95.32 based email address.

Any ideas?Last edited by jordanwb on Sat Aug 30, 2008 3:01 pm; edited 1 time in total

----------

## desultory

Have you tried the suggestions given on their site?

----------

## jordanwb

Are there any security disadvantages to using a self signed certificate?

----------

## notHerbert

 *jordanwb wrote:*   

> Are there any security disadvantages to using a self signed certificate?

 

I suppose It depends on whether you trust yourself. *Quote:*   

> Making a homemade CA or self-signed certificate will cause the client web browser to prompt with a message whether to trust the certificate signing authority (yourself) permanently (store it in the browser), temporarily for that session, or to reject it. The message "web site certified by an unknown authority... accept?" may be a business liability for general public usage, although it's simple enough for the client to accept the certificate permanently. 

 

Also   :Arrow:  http://it.slashdot.org/article.pl?sid=08/06/24/2345223

----------

## jordanwb

 *notHerbert wrote:*   

> 
> 
> I suppose It depends on whether you trust yourself.

 

I don't know if I can trust myself.

I'm currently in communication with a DnyDNS representative via e-mail. But if there's no problem with a self-signed certificate security-wise then I won't bother with a third-party certificate.

----------

## Hu

 *jordanwb wrote:*   

> I'm currently in communication with a DnyDNS representative via e-mail. But if there's no problem with a self-signed certificate security-wise then I won't bother with a third-party certificate.

 

Assuming equal key lengths and equal cipher choices, you get the same quality of encryption whether the certificate is self-signed or issued by a third party.  The security difference is related to identification.  With a third party certificate, some clients may automatically consider the certificate to be trusted and proceed immediately.  With a self-signed certificate, clients will raise a security warning since there is no way to differentiate a self-signed certificate that you issued to yourself from a self-signed certificate that Eve issued to herself in your name so she could eavesdrop on a connection.

The problem can be compounded by users who choose to "temporarily allow" the certificate each time, rather than permanently accepting it once.  As long as the user chooses to temporarily allow, it is the user's responsibility to check each time that the certificate is still yours, and not one issued by Eve.

----------

## jordanwb

All right thanks.

----------

