Information Security
certificates windows
Updated Thu, 22 Sep 2022 10:11:29 GMT

Any security concerns when importing self-signed certificate to Trusted Root certification Authorities store?


I have an ESXi server that is using a self-signed certificate, and the browser gives a warning that SSL certificate cannot be trusted.

I want to put that cert into the Trusted Root Certification Authorities store. Will that get rid of the warning message?

Also is it possible to create identical self-signed certificates? For example, an attacker realizes I have self-signed certificates in the Trusted Root Certification Authorities store and they make (Self-sign) cert with the same parameters. Would they be able to perform a MiTM attack?




Solution

The process for making a self signed certificate includes getting a randomly generated key to use for the certificate. Your operating system provides tools to create cryptographically secure random numbers to use for that purpose. So every certificate you generate will have a unique key, and nobody can (easily) create the same certificate.

Part of what makes public key cryptography work is that you never reveal the key to anyone. The ESXi server will prove to your web browser that it knows the key, but never tell you what the key is. So nobody can copy your certificate and make a new one that way. They would need to break into the server and steal the key from there, at which them point copying your self signed certificate is the least of your worries.

Adding the self signed certificate to your trusted root store will likely get rid of the warning, as long as it's an otherwise valid certificate that follows all of the rules for host names and validity durations. It doesn't create any new security concerns, and is much better than just accepting the certificate warning, because if you routinely just click ok to that warning, someone else could pretend to be your ESXi server with any self signed certificate, and you wouldn't notice unless you actually examined the certificate carefully each time.