Stories
Slash Boxes
Comments

SoylentNews is people

The Fine print: The following are owned by whoever posted them. We are not responsible for them in any way.

SSL Redux

Journal by mcgrew

Back in March I asked you guys if I should put SSL on my mcgrewbooks.com site, since it appeared that it would raise my hosting cost by $25 a year, and there was no technical reason to have it; there is no personal information collected whatever.
        I gave a lot of thought to the comments for months, and yesterday decided to go ahead and spend the money; I just put three grand on my mortgage principal. So I went to R4L’s web site to find where I could add SSL. I couldn’t find it.
        However, their help is actually a Canadian who helps through text chat, who informed me that paid hosting came with SSL, I simply had to turn it on.
        Well, it wasn’t that simple, as they’re upgrading their tools and I ran across a couple of 404s. But I finally found the correct widget to click, so the unnecessary lock is no longer broken.
        My other site still has a broken lock, but it’s a “free” site. Registration there is $15, but you get ten megabytes of hosting. Those are the kind of site that an extra $25 buys SSL, and you might as well pay for hosting. It isn’t much more, and it isn’t hard to fill ten megs. Almost all of the images at mcgrew.info are either on Wikipedia (which reminds me, I should donate again) or mcgrewbooks.
        I wish I would have known that five years ago! But I’m still more than happy with R4L.
        Since R4L is Canadian, whose internet laws apply? America’s? Canada’s? Both? Neither?

SSL Redux | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Reply to Comment Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by DannyB on Monday October 18 2021, @04:04PM (1 child)

    by DannyB (5839) Subscriber Badge on Monday October 18 2021, @04:04PM (#1188052) Journal

    for testing I generated a self-signed one. It's easy. I won't use it (them?) in production because they cause a browser to prompt the user to accept the cert

    Here is a tip. Don't just generate a self signed cert.

    1. Generate a self signed cert that is used to sign other certificates. In other words, your own private certificate authority.

    2. Now using that private CA cert, generate and sign a new cert for your domain.

    3. Take the self signed cert (without the private key), and install it in to one or more web browsers within your organization so that those browsers now trust that "CA". If you have a large fleet of Windows boxes joined to a corporate domain, this is easily done to install an internal private corporate certificate into ten thousand PCs.

    Now your internal machines will honor your domain certificate and allow real testing before buying a certificate.

    --
    Young people won't believe you if you say you used to get Netflix by US Postal Mail.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Tuesday October 19 2021, @02:44AM

    by Anonymous Coward on Tuesday October 19 2021, @02:44AM (#1188283)

    The best practices now is to use a 3 level CA system. Generate the self-signed cert and add the public part to the trust store. Use its private key to sign the intermediate certificate, split the root key into secret shares and then destroy it. Then use the intermediate certificate to do all the heavy lifting. That way you leave yourself with various outs when compromise occurs, among other benefits.