|
|
|
|
|
|
by tucif
3514 days ago
|
|
|
Using HSTS (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/St...)
From the RFC 6797 :
(https://tools.ietf.org/html/rfc6797#page-27) 11.3. Using HSTS in Conjunction with Self-Signed Public-Key
Certificates If all four of the following conditions are true...
o a web site/organization/enterprise is generating its own secure
transport public-key certificates for web sites, and
o that organization's root certification authority (CA) certificate
is not typically embedded by default in browser and/or operating
system CA certificate stores, and
o HSTS Policy is enabled on a host identifying itself using a
certificate signed by the organization's CA (i.e., a "self-signed
certificate"), and
o this certificate does not match a usable TLS certificate
association (as defined by Section 4 of the TLSA protocol
specification [RFC6698]),
...then secure connections to that site will fail, per the HSTS
design. This is to protect against various active attacks, as
discussed above.
However, if said organization wishes to employ its own CA, and self-
signed certificates, in concert with HSTS, it can do so by deploying
its root CA certificate to its users' browsers or operating system CA
root certificate stores. It can also, in addition or instead,
distribute to its users' browsers the end-entity certificate(s) for
specific hosts. There are various ways in which this can be
accomplished (details are out of scope for this specification). Once
its root CA certificate is installed in the browsers, it may employ
HSTS Policy on its site(s).
|
|
|