Does anyone know of a secure page (https) URL that uses a self-signed certificate that I can test on my browser?

I also don't understand why my hosts's self-signed certificate doesn't work on my browser for the secure version of C Panel. Yet, their signed certificate works fine on shared SSL pages. Any tips?

It depends on what you mean by 'work'.

If you visit an https website with a self signed certificate, you will always get an error message from your browser (unless you are a CA yourself ;)).

However, you can accept the "untrusted" certificate and visit the website, still, in a secure manner. But your website will be vulnerable to a man-in-the-middle attack. Besides, your clients will run away.

Originally posted by chrisb
Does anyone know of a secure page (https) URL that uses a self-signed certificate that I can test on my browser?

I also don't understand why my hosts's self-signed certificate doesn't work on my browser for the secure version of C Panel. Yet, their signed certificate works fine on shared SSL pages. Any tips?

I suppose depending on your browser and it's settings, it might not give you the option to accept certificates it doesn't recognize as being from an authorized vendor. It also could be that your system is set to a lower cipher bit rating than the self signed certificate. In other words the shared certificate that does work might be 56-bit cipher and the self signed one might be 128-bit. This is common on Windows default installs with server packs and you might need to upgrade. It's usually attributed to one of those reasons above if you can use one but not another, but it can depend on how it's set up too.

By works, I mean "the page won't load". The signed certificate page that comes up uses 128-bit certificate, so I don't understand why the self-signed one won't come up. I'm saying it won't even come up with warnings.

I'm trying to figure this out to create my own self-signed certificate without the warnings. I've seen this done. (Yes, I'm aware that many users will not trust it).

I don't have root access on my server, yet my host said that if I created a self-signed certificate that they would install it for me at no charge.

I'm using shell to make the certificate without a password per Redhat's instructions, but first I want to find a https that loads on my browser so I'll know if that's the right kind that I need. For example, I don't know if I need x509 or not.

I'm looking for a way to make a self-signed certificate that doesn't require the client to have the root CA on their local machine.

Originally posted by Ahmad
However, you can accept the "untrusted" certificate and visit the website, still, in a secure manner. But your website will be vulnerable to a man-in-the-middle attack. Besides, your clients will run away.

Ahmad, remind me again how a self-signed certificate is more vulnerable to a man in the middle attack?

Chris, as far as I know, x.509 is just a syntax for certificate files. You might try using the mkcert.sh script that comes with mod_ssl to generate your self-signed certificate. It's rather easy to use and will walk you through creating your private key, your CA cert, your CSR, then signing your CSR with your CA cert.

Originally posted by bitserve


Ahmad, remind me again how a self-signed certificate is more vulnerable to a man in the middle attack?


I can't find that old thread.

Anyway and in short. A man-in-the-middle attack can be done by somebody hacks into a DNS server, say for a popular ISP in your area, and change the DNS cache or even hard-code an IP address for a very popular online shop in your area, so that the domain will point to his own IP address.

Then he will act as if he is that popular website. He will get all requests still on a secure connection, but as they reach his server, he can decrypt them, store the pieces of information he wants (e.g.: CC#) then send the information from his server to the REAL online shop, see what respond he gets from the REAL online shop and send it back to the client.

Everything would be transparent, except that visiting the attackers website would generate an error message because his certificate is self signed (as he can't have a certificate that is signed by a CA if is not the real owner of the domain).

Now, if your own website uses a self signed SSL certificate, nobody can tell the difference between your own certificate and the attackers certificate, so they cannot detect attackers. i.e.: more vulnerable to man in the middle attack.

Ahmad, that makes sense.

I'ts not what I had imagined when you said man in the middle attack.

Yes. That is what I always knew as a man-in-the-middle-attack.

But I find out there are other types of attacks called man-in-the-middle too, like when a cracker takes a couple of machines and use them to DDoS a target machine.