> However, in a strict local configuration like my testing environment the > concept of trust is non relevant. I'm able to consider my CA and > certifictae > trustfull. And so the problem is only technical. > Basically how to complete (technical) trust between both ?
It depends upon the precise client software you are using. But pretty much every client implementation of SSL has some way to add a CA to the list of trusted CAs. You may also be able to bypass this security check entirely. A certificate from an untrusted CA serves essentially no purpose over a self-signed certificate. So you either need to configure the client to accept a certificate that serves no purpose or configure the client to trust the CA that issued the certificate. How you do that depends upon the specific client. Some browsers will simply allow you to open the CA certificate and offer you the option to trust it. Some will give you the option to trust either the CA or the specific certificate it issued when they present you with the "certificate from untrusted source" error. The right course of actions depends on exactly what you are trying to do and what you're trying to test. My guard always goes up when people (especially people who don't understand the basics of security) are implementating an encryption/verification algorithm and they ask for ways to make key security factors in the implementation useless. Of course, if you created your own CA and did so properly, there's no reason *you* shouldn't trust it. But saying fundamental security issues are "only technical" scares me. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
