User Tools
This is an old revision of the document!
The Creation of own CAcert
Self-signed certificates are pretty bad overall, even worse when served over the internet.
You can't easily tell if the certificate you are about to exceptionally trust, is yours, or faked by your gov or ISP.
So, how do you solve this?. By creating your own CA certificate and importing it either on your system, or on your Firefox Independent CAcert list.
This will turn a self-signed tls warning into a shining green lock, which will ensure the connection to your server is not tampered. In case it gets tampered, a warning will appear on your browser and you will easily notice someone is modifying your tls handshake.
Why not using a let's encrypt certificate? Well, there is cases where the service you want to expose on the internet is merely private (ex: a nextcloud, music server, documentation) and there is not a public domain name pointing to your server, just a local DNS server or custom /etc/hosts entry.
After some background on why/when using your own CAcert is needed, let's get started !!
