Can I legally self sign an SSL certificate with UNIX/Linux regardless of it it allows me too

S

scharfshutze009

2[H]4U
Joined
May 22, 2010
Messages
2,079
I need an SSL certificate or else anyone going to my possible webserver is going to get an annoying error that the page is insecure and will have to click proceed anyway. However, can I legally self-sign an SSL certificate myself instead of going through a verisign domain supplier, such as godaddy as I already have except can't seem to get transferred to my local server for a local domain or at least not as easy as I thought and the same goes for wix.

I know most if not all Linux distro's if not UNIX forks allow SSL certifcates to be self signed, but can it be done legally and correctly for use on the internet because I can't find an answer to this question anywhere or get an answer from anyone that might know.
 
I hope I am understanding your post. It looks like you have already purchased a SSL certificate via GoDaddy. So now you need to get that certificate installed. If you go to GoDaddy, click on Help in the upper right corner, select SSL Certificates and find your question. It will help you figure out what needs to be done.

If you want to use a self signed SSL certificate you can. It is legal. However it doesn't change the issue. Unless people choose to trust your self signed certificate, they will get the popup that the cert is not trusted. The reason why SSL certs from GoDaddy, Verisign, Namecheap, LetsEncrypt, etc work is that your computer already trusts the authorizing body. So once you get an SSL cert from them, and install it, the intermediate certificates (certificate chain/bundle), etc, other peoples computers will trust it.

To answer the question directly from your subject line, Yes it is legal to use a self signed certificate. I wouldn't for something that is publicly accessible, but you can.
 
I second letsencrypt. Super easy to set up and you can't beat free.
 
no legalities for self-signing a certificate.

You can use a self-signed cert, but then visitors will get the same message because it's a self-signed cert and/or because they won't have your cert authority cert and won't trust the whole cert chain (if you happen to have/use your own cert authority.)

basically: using a self-signed cert will provide absolutely zero benefit (for a publically visited page) as visitors will still get that "warning" in their browser.
 
The client side work around is that you made cert and you trust it so install it on your box. Nice hack for yourself but the cert warning will quickly steer potential customers away from a public server.

Actually that Let's Encrypt looks pretty cool plus free.

https://www.sslforfree.com/
 
Last edited:
I've been using letsencrypt successfully for over a year now. Earlier I was paying 200 bucks per site for certs, now I can skip it.
 
Thanks everyone because my former Linux instructor didn't respond when I tried to ask him if he knew. I know though that he said trust has to start somewhere. Also, thanks because it appears that if I did self-sign it correctly and had the authority, like godaddy that it might not give the warning according to what some of you are saying.
 
letsencrypt works well, and there are even scripts/programs like certbot that will auto renew it for you.

If you wanted to do self signed certs, its better to create your own CA, and sign all your certs with that. Then you can trust that one CA cert, and all the certs you have signed will be trusted.
 
tbg said:
letsencrypt works well, and there are even scripts/programs like certbot that will auto renew it for you.

If you wanted to do self signed certs, its better to create your own CA, and sign all your certs with that. Then you can trust that one CA cert, and all the certs you have signed will be trusted.
Click to expand...

The self signed CA is the highest level of trust, only meant to secure communication between your own systems. Whenever you want to go public you need a public certificate authority such as GoDaddy or letsencrypt.
 
scharfshutze009 said:
Thanks everyone because my former Linux instructor didn't respond when I tried to ask him if he knew. I know though that he said trust has to start somewhere. Also, thanks because it appears that if I did self-sign it correctly and had the authority, like godaddy that it might not give the warning according to what some of you are saying.
Click to expand...

if you self-sign a cert, there will be no cert chain. Therefore, no 3rd party CA will be in the cert chain.

If you self-sign, users' devices have to have that self-signed certificate installed to not get the warning.

Plain and simple: If this is for public access, do not use a self-signed. Period.
 
Listen to all the voices of reason. Either use Lets encrypt or get a cheap go daddy cert!
 
If you want to use a self-signed SSL certificate and NOT get the error with browsers/clients, you need to import the CA cert you used to sign the certificate on the device. The whole SSL Certificate Authority is a shit show anyway, I know many people who just run their own CA.
 
If it's all internal, you can use a self-signed cert. If it's accessed externally, I would use a CA.
 
Haven said:
I prefer Namecheap's cheap SSL cert, but that is because I stopped using GoDaddy years ago.
Click to expand...

I went with godaddy because I didn't think you could legally sign your own SSL certificate because even if I learned how I forgot considering I never go to use it yet at that time. I did self-sign for Linux classes if not microsoft or Mac, but the instructor said I won't actually be able to use it on the internet that I can sort of remember now I finally completed enough of my own server to do it, but I wasn't sure because of what they sort of said and I read the documentation too. However, I get stuck when on DNS first and then the questions the SSL signing asks me about my business, which I'll need to show you all as well as finish registering my business.
 
DNS is easy. Install, configure named.conf and a few zone files. chroot it. It was a pain in the a** back in the day. Nowadays it's > install bind-chroot done.
 
There are different types of SSL certificates. Some SSL certificates require you to verify your business. Some don't require that at all. The more expensive the certificate, the more likely you have to verify your business. The cheaper ones the less likely you are to have to fill out too much paperwork.

Domain Validation Certificates - Just protects your domain.
Organization Validation Certificates - Requires you to verify your business.
Extended Validation Certificate - fancier version of the Organization Validation.

If you are not running a business that requires you to take credit cards, then don't worry about the OV or EV certs.

Do you understand why your instructor said indicated that you would not be able to use the Self-Signed Certificate on the Internet?
 
scharfshutze009, ill tell you what you need to do, but you need to do the whole plan, not just quit in the middle how you like to do it.

1. you build your own internal DNS servers, the rest of this plan will be a huge pain with out it.
2. build your ow CA, you need to be able to sign your own certs. you can not be sending stuff in the clear on your network for this plan to be found out, because that will just spoil everything.
3. build your own internal web server. you will need a lot of space to store everything in the future. all your notes and progress for future generations. this is where you will use your first cert your CA signs.
4. build your own internal git server for all the code to come later in this plan.
5. now this part is the key, and not optional. you disconnect from the Internet for like 30-40 years, and i mean like no access at all, not even a tiny bit.
6. you begin the major task of writing your own kernel, for your own OS. now this will take a while, and you will have your doubts and want to quit at times. you will tell your self maybe you should just use linux, but you can't give up.
7. here is the real key, you have to grow a beard, the bigger the better. all your idols: dennis ritchie, ken thompson, richard stallman, they all had beards, that is where the true power comes from.
see https://www.wired.com/2012/06/beard-gallery/
8. once complete you return to the world with your very own os for all the world to marvel at. at this point we will all realize you were the real deal all along, and you were in fact not trolling us all with all your posts all along.
 
tbg - 10 on the creativity scale for this plan. I hate doing other people's homework.
 
You must log in or register to reply here.
Back
Top