2
1
To explain the situation a bit:
I'm building an iOS application that uses SSL pinning. I've created a self-signed certificate authority that issues SSL certificates to my web server, and the CA's certificate is bundled with the application for verification. I'd like to use letsencrypt to create the SSL certificates for the web server so that they are trusted implicitly by web browsers, but their certificates wouldn't be signed by my CA so this wouldn't work in the application. (It's worth noting that certificates issued by letsencrypt are very short lived, so they can't be used directly for SSL pinning).
So I'd like to generate a certificate using letsencrypt and then cross-sign it with my CA. Is this possible?
1
This might be better at http://security.stackexchange.com/
– Raystafarian – 2015-12-14T12:03:27.6231Don't bundle root CA cert, bundle the final cert. Just use regular, commercial, 2-year long certs and publish new version of your app every year, bundled with 2 overlapping certs. It's easy for your cert-pinned client to accept one of several certs. OR have your www signed by letsencrycpt but sign API with self-signed on a subdomain. There is no point in your app accessing WWW or users accessing API via browser, so I don't really feel your problem. – Agent_L – 2015-12-14T12:03:46.740
As @Agent_L suggested, I would recommend to use a separate (sub)domain for the app api. – zelanix – 2015-12-14T13:00:08.987
@Agent_L the problem is purely my own. I don't need to do this, it would just make me happier to know that it's a valid SSL certificate, but still pinned. This question is just me asking "Can this be done?", not necessarily saying that I can't continue without doing it. – Ell Neal – 2015-12-14T13:04:37.153
@EllNeal Every SSL cert is valid. Self-signed can be more secure than signed by some commercial signer. – Agent_L – 2015-12-14T13:06:38.363
@Agent_L I agree, excuse my wording. I meant implicitly trusted. – Ell Neal – 2015-12-14T13:09:01.860
@EllNeal It's still not the correct term : ) It's merely "trusted by the guy who made your OS (or browser)". And they are sometimes wrong. – Agent_L – 2015-12-14T13:11:17.223
1@Agent_L: "Valid" itself has various meanings here – for example, in OpenPGP circles (and often when it comes to X.509 as well), it has nothing to do with format/syntax validity, but everything to do with trust of the signatures a certificate carries. A self-signed X.509 cert wouldn't be malformed, but still could be invalid in the sense that there's no trust anchor to verify it against... – user1686 – 2015-12-14T13:48:09.817