There was a bunch of GPG tinkering trying to get GPG to generate a ssh-compatible (ie. one you get from id_rsa.pub) key using my private key. While it turned into a epic fail costing me a good chunk of the day. I dived a bit into the security stuff that everyone hates.
While going about my day, I wondering if self-signed certs can be used in a way that wouldn’t get you ostracized from a security conscious community. Johnathon has warned the blogosphere at large why self-signed certs are bad and why Firefox makes you jump through hoops to allow a self-signed cert to get through. But I thought of a good use case for why you may want to use it :
- Self-signed certs provide little value for your users (fe. blog comments are public anyways)
- You may not have the means (eg. credit card, unique ip if your with Dreamhost) to buy one
- You only really need them for some basic stuff that users shouldn’t interact with at all. Like logging in to wordpress.
In which case, you can generate a self-signed cert and configure a web server to serve you it on some uncommon port such as port 43034. The benefit is that its transparent to users. It will not interfere with their browsing. And you get the benefit of encryption and authorization, and knowing for certain that the certificate is yours (you have access to the certificate’s fingerprints).
I tried this on Dreamhost and I failed. Or, rather, Apache doesn’t you set up a <VirtualHost> in a .htaccess file. Dreamhost didn’t have anything in their web panel that would fix this. You can enable SSL for a site, but they force you into port 443 and don’t let you have both HTTP and HTTPS.
Another excellent educational learning opportunity ruined by over-zealous security zealots.