> I doubt if self signed certificate will be a good idea, as > against a signed > certificate. > With the approach I am proposing, the server installer itself works like a > CA. > Only an authorized person will have access to this installer (say > admin) and > can generate a signed certificate.
I don't know if you're familiar with how real CAs operate, but trust me, restricting access to your installer won't provide anywhere near the security that real CAs do. > Now what happens if someone changes the key and the certificate in the > server? > If I am using a self signed certificate, this change will not be detected. Perhaps you misunderstand what I'm proposing. If you use a self-signed certificate, the change will be detected because the certificate will now be different. I'm suggesting the client use the public key itself as the server's identity. > If I am using a CA signed certificate (which only the admin can do through > the installer), any such change / modification to the server certificate > will be detected > as the modified certificate will not be validated at the client > side (as it > will not be signed). The problem is that anyone who has access to your installer can impersonate any server. Whether or not this is acceptable depends upon a few factors. I would submit that if your client is a traditional program like IE or Firefox and your target network is the Internet, this is absolutely unacceptable. If your client is custom software and/or your target network is private, this might be reasonable. > This is the reason, why I plan to use a CA signed cert instead of self > signed cert at the > server. What's your client software? Is it a browser or custom software? If a browser, and you're expecting the client to add your CA as a trusted root, you are compelling your users to trust an awful lot to anyone who might get access to your installer, accidentally or intentionally. A leak of your installer would mean a serious security compromise to all your users. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
