[strongSwan] Can't load certificates and keys via symlink

Jose Novacho jnovacho at yahoo.com
Sat Feb 11 12:03:47 CET 2017


> You are still trusting a public CA to not issue another certificate for that server to a malicious third party.

I'm not sure I'm following. How can public CA generate certificate for 
my server to someone, who doesn't have access to my server? That would 
totally break the SSL/HTTPS as it is used now. If anyone could generated 
certificate to any domain, what would be the point of using certificate 
to validate identity of servers?  I have don't really know that much 
about this stuff, but this was one thing I thought I knew.

Also only other issue than to use public CA I know is to use self-signed 
CA. And if I use self-signed, no one is obligated to trust it. As anyone 
can create self-signed certificates.

My goal is to have the VPN available for occasional friend, so we can 
play some games on LAN. By using the LE certificate, he does not have to 
do anything apart from fill in the username/password. The LE 
certificates are trusted by Windows, so there is no fiddling with that.

On 10. 2. 2017 14:59, Noel Kuntze wrote:
> On 10.02.2017 12:17, Jose Novacho wrote:
>> It seems we are talking about two different things.
> I know that and it is deliberate. The things I describe are issues that will, albeit at some arbitrary point in the future,
> be encountered by you, if you do not fix them now.
>
>> I have used the LetsEncrypt certificate to authenticate the server itself. Peers are using username and password using EAP, that's not an issue.
> You are still trusting a public CA to not issue another certificate for that server to a malicious third party.
>
>



More information about the Users mailing list