Shorewall Certificate Authority (CA) Certificate


Given that I develop and support Shorewall without asking for any renumeration, I can hardly justify paying $200US+ a year to a Certificate Authority such as Thawte (A Division of VeriSign) for an X.509 certificate to prove that I am who I am. I have therefore established my own Certificate Authority (CA) and sign my own X.509 certificates. I use these certificates on my web server (http://www.shorewall.net) as well as on my mail server (mail.shorewall.net).

X.509 certificates are the basis for the Secure Socket Layer (SSL). As part of establishing an SSL session (URL https://...), your browser verifies the X.509 certificate supplied by the HTTPS server against the set of Certificate Authority Certificates that were shipped with your browser. It is expected that the server's certificate was issued by one of the authorities whose identities are known to your browser.

This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar you are REALLY connecting to www.foo.bar, means that the CAs literally have a license to print money -- they are selling a string of bits (an X.509 certificate) for $200US+ per year!!!I

I wish that I had decided to become a CA rather that designing and writing Shorewall.

What does this mean to you? It means that the X.509 certificate that my server will present to your browser will not have been signed by one of the authorities known to your browser. If you try to connect to my server using SSL, your browser will frown and give you a dialog box asking if you want to accept the sleezy X.509 certificate being presented by my server.

There are two things that you can do:
  1. You can accept the www.shorewall.net certificate when your browser asks -- your acceptence of the certificate can be temporary (for that access only) or perminent.
  2. You can download and install my (self-signed) CA certificate. This will make my Certificate Authority known to your browser so that it will accept any certificate signed by me.
What are the risks?
  1. If you install my CA certificate then you assume that I am trustworthy and that Shorewall running on your firewall won't redirect HTTPS requests intented to go to your bank's server to one of my systems that will present your browser with a bogus certificate claiming that my server is that of your bank.
  2. If you only accept my server's certificate when prompted then the most that you have to loose is that when you connect to https://www.shorewall.net, the server you are connecting to might not be mine.
I have my CA certificate loaded into all of my browsers but I certainly won't be offended if you decline to load it into yours... :-)

Last Updated 11/14/2002 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.