[OpenWrt-Devel] wiki.openwrt.org uses an invalid security certificate / expired on 12.2.2015 17:18

Alessandro Di Federico ale+owrt at clearmind.me
Sat Feb 14 13:31:17 EST 2015

On Sat, 14 Feb 2015 18:21:41 +0100
phaidros <phaidros at subsignal.org> wrote:

> Nope, I would vote against StartSSL. I know it is free, but the
> procedure sucks, and honestly: there is *one* company on the planet
> givin out *free* SSL Certs .. if that doesn't ring bells, I dunno what
> could :)

They just say you're who you say you are, they don't have your private
key. In any case, if you don't trust them, it doesn't matter, because
they're part of the trusted set of the PKI, so everyone trusts them
(and can be fooled by them). We could start talking about
certificate pinning, but I don't think it's a priority right now.

On Sat, 14 Feb 2015 09:35:29 -0800
"Constantine A. Murenin" <mureninc at gmail.com> wrote:
> No, WoSign also does.
>     https://www.wosign.com/english/price.htm
> In fact, WoSign gives out free certificates valid for 2-years, and
> they also even let you have multiple CNs in the same cert (although
> wildcast for free is not supported).

Never tried them. StartSSL certificates last one year and are valid for
one second level domain (e.g. openwrt.org) and a third level
domain(e.g. wiki.openwrt.org), but you can have as many of them as you
want (e.g. one for openwrt.org+wiki.openwrt.org and one for

If the admins are interested in *my* help I'd go for StartSSL, for the
simple reason that it takes 30 seconds to generate a new certificate,
since I'm already using it.

In the future, we'll all use Let's encrypt and be happy [1].

In any case, I'd avoid CACert [2].

Alessandro Di Federico

[1] https://letsencrypt.org/
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=215243
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list