On Tue, May 26, 2020 at 05:22:13AM +0200, Laurenz Albe wrote:
> On Mon, 2020-05-25 at 15:15 -0400, Chapman Flack wrote:
> > Certificates I get at $work come four layers deep:
> >
> >
> > Self-signed CA cert from "WE ISSUE TO EVERYBODY.COM"
> >
> > Intermediate from "WE ISSUE TO LOTS OF FOLKS.COM"
> >
> > Intermediate from "WE ISSUE TO ORGS LIKE YOURS.COM"
> >
> > End-entity cert for my server.
> >
> >
> > And that got me thinking: do I really want WE ISSUE TO EVERYBODY
> > to be what I'm calling trusted in root.crt?
>
> I don't know if there is a way to get this to work, but the
> fundamental problem seems that you have got the system wrong.
>
> If you don't trust WE ISSUE TO EVERYBODY, then you shouldn't use
> it as a certification authority.
It is true that WE ISSUE TO EVERYBODY can create a new intermediate with
the same intemediate name anytime they want.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EnterpriseDB https://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +