On Wed, 19 Nov 2008, Mark Watts wrote:
The server I'm in control of is signed by a CA. (This server does not give any verification failure messages) I don't know about the other server.
I'm getting confused as to which server is which but I'm sensing that you think self-signed means automatically untrusted. While I don't claim to be any sort of certificate expert, here's my take on what I think you're saying:
You have a client connecting to a server with your self-signed certificate (signed by a CA of your own creation). Connections to it do not generate verification failures. Does the client have your self-created CA's root certificate on it? If so, then it can verify the self-signed certificate.
As near as I can understand, the only practical difference between certificates signed by a well-known CA and one signed by your own CA is how widely distributed you can expect the CA root certificate to be. For a well-known CA, you expect every Internet connected computer to have the root certificate. For a self-created CA, you can only expect to find the root certificate on client systems you've put it on (which is why I keep a copy of my self-created CA's root certificate on my keychain drive). A self-created CA root certificate, once installed on a client system, has the same status as a root certificate from a well-known CA.
-- Larry Stone [EMAIL PROTECTED]
