Digital Certificates-2

0 pts.
Tags:
Access control
backdoors
Biometrics
Browsers
Current threats
DataCenter
Development
Digital certificates
filtering
Firewalls
Forensics
Hacking
human factors
Identity & Access Management
Incident response
Intrusion management
Network security
Networking
provisioning
Security
Security tokens
Servers
Single sign-on
Spyware
SSL/TLS
Trojans
Viruses
VPN
Web security
Wireless
worms
Under what circumstances may an organisation decide to have its own Certification Authority(CA) rather than purchasing certificates from a commercial CA and its implications? Thanks in Advance
ASKED: December 19, 2005  9:53 PM
UPDATED: January 10, 2006  2:54 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

The bottom line is who the consumers of your certificates are. If all consumers are entities for which you can (securely) install the certificate of your CA in their list of trusted authorities, then you can use your own CA, otherwise, you need your certificates to be signed by an authority in the standard list(s) so that any client installing one knows it’s trustworthy.

Note that you can create a trusted authority. That is, your own CA but it’s certificate (and thus all others signed by it, indirectly) are trusted. This is a good comprimise if you are dealing with external entities but still want complete control of the cerificates you’re using.

Finally note that the most important thing about running your own CA is keeping it secure. If the machine or CA service is comprimised in any way you have to start over.

Discuss This Question: 4  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Ttully
    It depends on what you will be using the certificate for. If it is just to authenticate internal users and servers, then you can use your own Enterprise CA. I recently set up Outlook Web Access and to enable https connections, it is necessary to purchase a commercial Certificate for your remote users.
    0 pointsBadges:
    report
  • Atomas
    Check http://www.openssl.org/docs/apps/openssl.html if you go with your own CA. There are some good DOCS to read.
    0 pointsBadges:
    report
  • Fitzy216
    please ignore other replys you can use self signed certs fine and do not require a commercial cert for owa to work like others have responded the onl difference is users will be prompted with a cert warning when they attempt to log on but you could always install the cert in the trusted ca store negating this issue completely hope this helps
    0 pointsBadges:
    report
  • Amigus
    Please do not ignore other replies. fitzy216's reply neglects to mention that while self-signed certificates "work" in that they can be used to establish an encrypted channel (privacy) they don't allow you verify that you're really talking to the server you think you are (integrity) unless of course the signer's CA cert is in the trusted store of all computers as he points out. If integrityf is important or if you can't install to the clients trusted authorities store the decision making criteria are a little more complex.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following