On Tue, May 26, 2020 at 05:22:13AM +0200, Laurenz Albe wrote: > On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote: > > Certificates I get at $work come four layers deep: > > > > > > Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM" > > > > Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM" > > > > Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM" > > > > End-entity cert for my server. > > > > > > And that got me thinking: do I really want WE ISSUE TO EVERYBODY > > to be what I'm calling trusted in root.crt? > > I don't know if there is a way to get this to work, but the > fundamental problem seems that you have got the system wrong. > > If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use > it as a certification authority.
It is true that WE ISSUE TO EVERYBODY can create a new intermediate with the same intemediate name anytime they want. -- Bruce Momjian <br...@momjian.us> https://momjian.us EnterpriseDB https://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
