Explanations

• Certificates trust is made by the trust chains of certificates.

TL;DR Explanations

Self-signed certificates are inherently not trusted by your browser because a certificate itself doesn’t form any trust, the trust comes from being signed by a Certificate Authority that EVERYONE trusts. Your browser simply doesn’t trust your self-signed certificate as if it were a root certificate. To make your browser accept your certificate, go into your browsers configurations and add the certificate as a root certificate.

The best way to get a self-signed certificate trusted is to go through a Key Ceremony, which is basically a big public event where all cryptographers and security experts gather together to witness a root CA generate their key-pair and declare themselves a root CA. Everything is recorded: video, who everyone is and what everyone does by lawyers. The private key is split into many different parts and stored separately in safes typically after signing a single certificate which is used as an intermediary to sign other certificates. You can read about the typical procedure if you’d like. Of course, you need to have state of the art security, both technological and physical, to do this and have anyone want to use or trust your root CA. After doing this your certificates may be included in browser distributions and then can be used by the general public to create trust chains of certificates.

Cools links

• 🇫🇷 http://www.linux-france.org/prj/edu/archinet/systeme/ch24s03.html
• 🇬🇧 https://security.stackexchange.com/questions/112768/why-are-self-signed-certificates-not-trusted-and-is-there-a-way-to-make-them-tru
• 🇬🇧 https://www.thesslstore.com/blog/root-certificates-intermediate/

— — — — — — — — — — — — — — — — — — — — — —

La série « Jé pa l’temps » est une série de tutoriels rapides en mode “prise de note” pour avoir une trace de tout ce dont je ne peux me rappeler et pourquoi pas le partager à d’autre. On va à l’essentiel, laissons les jolis pavés à d’autres sites comme medium… LOL !