Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to use https (own-server) without paying anything?

Tags:

https

ssl

apache

I want to use SSL (https) to secure communication. Is it possible to do it without buying a certificate of some sort?

like image 896
gernberg Avatar asked Jun 01 '09 12:06

gernberg


3 Answers

You can use a self-signed certificate (google it) but your users will get a message saying the certificate is not valid. The traffic will still be encrypted, however.

The reason you have to pay a third party for a "valid" SSL certificate is that part of the purpose of an SSL certificate is to verify the authenticity of your server. If any body could issue an SSL cert with any information they wanted, what's to prevent me from setting up an SSL certificate using Walmart.com's contact information and tricking users into thinking my site is a branch of walmart.com?

In short, you can get the encryption part for free, but if you want to avoid browser identity warnings, you'll need to pay for a third party cert.

like image 107
Chris Avatar answered Oct 21 '22 07:10

Chris


You can self sign a cert, or get one from cacert.org or a related free signing community. Most browsers will throw up warnings, so you shouldn't do it for production (if you are an ebusiness), but during development, or if you don't care about the warnings, it's a cheap alternative

like image 44
Todd Gardner Avatar answered Oct 21 '22 07:10

Todd Gardner


As others have said, you can simply and easily use self-signed certificates or set up your own certificate authority (CA) and then issue as many certificates as you want. All these certificates are as valid as the "commercial" ones issued by the big CAs, so there is no technical difference between your certificate and the one from, say, verisign.

The reason most browsers and other client applications warn about your certificate is, that they do not know and therefore not trust your CA. Browsers usually come with hundreds of well-known CA certificates everyone automatically trusts (if thats a good thing, well...), so you don't get a warning when visiting amazon.com via HTTPS. In Firefox, you can go to "Preferences" > "Advanced" > "Encryption" > "View Certificates" to see which CAs or individual certificates your browser currently trusts.

In the end, it's a question of whom you and the users of your service trust. If your users know and trust you (say in company network or a small development team), they can add your CAs certificate to the trusted certificates in their browser. From then, every certificate issued by your own CA will generate no warning and will be trusted just like every other certificate.

like image 25
Simon Lehmann Avatar answered Oct 21 '22 05:10

Simon Lehmann