I’m just so annoyed of fighting this all the time.

If I can’t figure this out I’m going to disable all https redirecting and all certificate errors off so I can have some peace

  • ReversalHatchery@beehaw.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    2 months ago

    does not sound like a vood idea. your own CA can sign certs for any other sites too, and it’s dangerous.

    I would say it’s even more dangerous of you just think “nah, it’ll be fine”

    • lud@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      What do you mean?

      Of course their own CA can sign certificates for whatever the fuck it wants, but it’s their CA so why would they do that?

      You obviously shouldn’t trust anyone else’s CA unless you actually trust it. But if you don’t trust your own CA what’s the point of having a CA?

      P.S. I’m guessing OP doesn’t actually have a CA and is just using simple self signed certificates without any private CA that has signed them.

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        but it’s their CA so why would they do that?

        I don’t mean them specifically, but that to me managing access to such a CA cert’s keys is security nightmare, because if I somehow get an infection, and it finds the cert file and the private key, it’ll be much easier for it to make itself more persistent than I want it.

        But if you don’t trust your own CA what’s the point of having a CA?

        That’s the point. I don’t recommend having one. I recommend self signed certs that are

        • limited to a lan (sub)domain or a wildcard of it
        • you verified by the fingerprint (firefox can show this)
        • you only allowed for those of your internal services for the cert was intended

        Or if you don’t want to deal with self signed certs, buy a domain and do lets encrypt with the DNS challenge.
        That’s also more secure, but can be more of a hassle, though I guess it depends on preference.

        But then I would use this latter one too if I had opened any services to the internet, but I didn’t because I don’t need to.

        • lud@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          2 months ago

          I don’t mean them specifically, but that to me managing access to such a CA cert’s keys is security nightmare, because if I somehow get an infection, and it finds the cert file and the private key, it’ll be much easier for it to make itself more persistent than I want it.

          If you can’t resist installing random shit on your CA server then sure. No attacker will really try to compromise a home CA so you really only have to worry about viruses which should be kept extremely far from the CA anyways. And obviously follow all other security precautions like good passwords or even passwordless with certificate login (remember that you have a CA server so you can easily issue authentication certificates and enroll them on a smart card or Yubikey)

          The private key should also be in TPM (or a HSM like we do at work, but that’s a bit extreme for home use) and be non-exportable. Managing access to the private key isn’t really that hard, it should just never ever leave the CA server and you are pretty much good to go.

          You can also do a two tier PKI with an offline CA and an issuing CA like I’m planning to do for an AD DS, AD CS, AD FS lab.

          Personally I think wildcard certificates sound like a bigger security problem than a CA since that certificates will likely be placed on a lot of servers and if just a single one gets compromised the attacker can impersonate whatever subdomain they feel like. With a CA server you could issue individual certificates to each server/service

          Private CA servers are very common and is actually a security positive. I’m not saying that everyone needs one at home, but you shouldn’t be afraid to setup one if you want too.

          • ReversalHatchery@beehaw.org
            link
            fedilink
            English
            arrow-up
            0
            ·
            2 months ago

            I’m in a home environment. I don’t have a TPM*, I don’t have yubikeys. And no, certificates won’t be placed on a lot of servers, as

            • I have only one, 2 if you count the raspberry
            • both of them uses a wildcard for its own subdomain, so other servers wouldn’t be affected anyway
      • ulterno@lemmy.kde.social
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        P.S. I’m guessing OP doesn’t actually have a CA and is just using simple self signed certificates without any private CA that has signed them.

        You’re right. I’m talking about making a certificate using gpg and storing it on your system. Then adding it to the root CA list and signing all your Local SSH stuff with it.