For example, anyone could use Let’s Encrypt to get a trusted certificate, so what makes this trustworthy? Or why not trust everyone that signs their own certificates with a program like OpenSSL?

  • Dodecahedron December
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    Signed by whom? The CA.

    The CA is the certificate authority.

    You can create your own CA and sign your own certs for free, but people would need to have your CA root cert in their browser for them to be able to trust your signed certs.

    Let’s Encrypt is a real CA bundled with browsers, and it signs free cert signing requests when specific criteria is met. This is done because TLS is an important privacy mechanism that works best if many certs are in use and not just a few wildcard certs.

    Why not trust self-signed certs? Because there are no checks. When miicrosoft.com (the people who make the miis on your wii) gets a free cert signing from Let’s Encrypt, its because the owner of miicrosoft.com proved that they owned the domain miicrosoft.com by means of a lets encrypt / acme challenge. When you create your own CA and sign your own certs you are beholden to your own rules. You could sign a free cert for microsoft.com (the people who make minecraft) but then you would also need to convince users to install your CA, and then you can steal their blocks and grief their builds.