From: ldo@nz.invalid   
      
   On Sun, 1 Sep 2024 00:43:57 -0000 (UTC), bp wrote:   
      
   > I thought the host certificate _became_ a CA   
   > certificate through the self-signing process..... So, I actually need   
   > _two_ certificates, one for the server and one for the signing   
   > authority, both created on the sesrver?   
      
   A CA cert needs to be self-signed, since of course there is nobody higher   
   (within the SSL/TLS protocol, anyway) to vouch for a CA’s authenticity.   
   The OS (or the browser) typically comes with a set of CA certs that it   
   trusts, preinstalled. So any cert signed (directly or indirectly) by any   
   of these CAs becomes trusted as well. And you should be able to add to   
   these certs, or even remove them.   
      
   > Presumably the client (a Pi5 running RasPiOS) already has created its   
   > own?   
      
   Its own CA? Hard to think why it would.   
      
   >> The procedure for being your own CA is a lot simpler in OpenSSL 3. I   
   >> have some notes here .   
   >   
   > Fortunately it seems OpenSSL 3 is installed. I'll try your exercise   
   > shortly   
      
   I should mention that my example use of TLS/SSL is as a wrapper for an   
   entirely custom protocol, not related to HTTP/HTTPS. There are certain   
   requirements for certs used for HTTP/HTTPS, where the “subject” field must   
   contain the fully-qualified DNS name in the “CN=” part.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)