[sword-devel] Self signed certs during module install [was: SWORD 1.8.0RC3]
DM Smith
dmsmith at crosswire.org
Mon Jun 26 05:42:23 MST 2017
> On Jun 26, 2017, at 8:24 AM, Peter Von Kaehne wrote:
>
> Von: "DM Smith"
>> Ultimately a root CA is a self-signed certificate. The difference is that the public key is installed into the root CA store on the user’s computer or into the user’s “browser’s” store. Then certs signed by that CA are not self-signed. This is essentially what many companies do for internal communication. The DoD likewise.
>
> Which makes me think whether we could avoid the trouble we have annually or so with certs to now expand into module distribution by distributing our own cert/signature within the library?
I don’t think this is a reasonable solution. I’ve installed such on my computers and it isn’t a simple mechanism. The mechanism differs by OS and by client program (e.g. browser). I’ve not figured out how to do it on a tablet or a phone. Companies that use such often control the connected computing devices.
LetsEncrypt is a better root CA as it is recognized by all modern OSes without user intervention. I.e. it is authoritative.
The problems we’ve had with renewing the cert is a solvable problem that I’m able to fix. BTW, I get emails from LetsEncrypt in advance of the cert expiring. If it expires, it is my fault for waiting. A couple of days before it expires, if I’m still getting emails I know that the automation has failed and needs my intervention.
In Him,
DM
More information about the sword-devel
mailing list