According to Why are self signed certificates not trusted and is there a way to make them trusted?, to trust a self-signed certificate we need to import the root certificate into the trust store of the browser. Does that mean I must distribute to my clients a file, and is that the *.crt file, the *.csr, or the *.key file? What instructions should they follow to import that certificate correctly?
2 Answers
Does that mean I must distribute to my clients a file, and is that the *.crt file, the *.csr, or the *.key file?
You need to distribute the certificate, i.e. the *.crt
file. The *.key
file must be kept secret since this can be used to impersonate the certificate. It is only actually needed on the server.
What instructions should they follow to import that certificate correctly?
There is no generic way to install a certificate. Details depend on OS and client (i.e. different browsers, apps ...).
- 190,458
- 29
- 381
- 434
Does that mean I must distribute to my clients a file, and is that the *.crt file, the *.csr, or the *.key file?
Both self-signed and CA-signed certificates share certain characteristics - they both have a private key that must be kept secret and a signed certificate that contains public key that you share with others. They key difference between CA-signed and self-signed certificates is what key is used to sign the certificate - self-signed certificate uses the private key associated with the certificate to sign it. To make all of this a bit more confusing, Root CAs are also self-signed, to differentiate them from a regular self-signed certificate you need to look at extensions like Basic Constraints.
- 1,009
- 7
- 12