Thanks, Jerry. Indeed, the appearance of security is paramount in this case.
I don't want customers getting any error message about the validity of the
certificate.
But the instructions to which I refer are from WebTen. They seem to imply
that once I generate a new CSR, the current certificate may be invalidated.
That's the part I'm trying to get clarification on.
Thanks, again.
> From: Jerry Stratton <jerry@xxxxxxxxx>
> Reply-To: webten@xxxxxxxxxxxxxxx
> Date: Fri, 5 Apr 2002 10:26:39 -0800
> To: webten@xxxxxxxxxxxxxxx
> Subject: Re: Generate CSR = Not Secure?
>
>> I've had a secure server for one year now, and it's time to renew my
>>
>> The WebTen instructions... say this:
>> "A temporary, self-signed certificate (for use while your CSR is being
>> processed by the certificate authority) is created and saved.... This file
>> should be replaced by the real certificate when one is returned from the
>> Certificate Authority."
>>
>> This implies that my server might no longer be secure until I get the new
>> certificate from Verisign. Am I missing something? Is there a trick to
>> generating the CSR without destroying the current certificate? Or does the
>> new CSR just reside next to my current certificate? I'm reluctant to do this
>> before I'm sure it'll work.
>
> First, you need to understand the different between your key and your
> certificate. (And I hope I do, but it can be complicated.)
>
> The certificate "certifies" that your key is valid for your hostname.
> Your signature says that you are signing off that your certificate is
> valid. This has little to do with how secure your site is, but a lot
> to do with how secure people think your site is. Obviously, a
> signature that basically says "I am who I say I am, and here I am
> saying that I am who I say I am, so it must be true" will be less
> trusted than Verisign saying that you are who you say you are :*)
>
> But your data will be encrypted just the same no matter who signs
> your certificate. The key is still the same. Similarly, you could go
> ahead and post your private key to public newsgroups the day after
> Verisign signs your certificate. Your site is about as secure as a
> Windows client in a public lab, but it will "look" secure to people
> visiting it :*)
>
> However, second, those instructions look like they're for your first
> time. Whenever I renew, I leave my old key/certificate in place until
> I get the new certificate from Verisign. As long as I remember to
> renew *before* the old certificate "runs out", this isn't a problem.
>
> Of course, I do it all from the command line, not in Webten's UI (I
> don't use Webten for secure serving). But (a) their UI should include
> this option, and (b) even if it doesn't, your site is still as
> secure. It just doesn't necessarily look like it is to your visitors
> (which is sometimes very important, sometimes less so).
>
> Jerry
> --
> jerry@xxxxxxxxxxxx
> http://www.sandiego.edu/~jerry/
> Serra 188B/x8773
> --
> The more restrictions there are, the poorer the people become. The
> greater the government's power, the more chaotic the nation would
> become. The more the ruler imposes laws and prohibitions on his
> people, the more frequently evil deeds would occur.
> --The Silence of the Wise: The Sayings of Lao Zi
> --
> jerry@xxxxxxxxxxxx
> http://www.sandiego.edu/~jerry/
> Serra 188B/x8773
> --
> The more restrictions there are, the poorer the people become. The
> greater the government's power, the more chaotic the nation would
> become. The more the ruler imposes laws and prohibitions on his
> people, the more frequently evil deeds would occur.
> --The Silence of the Wise: The Sayings of Lao Zi
>
|
