Digital Certificates-2

Access control
Current threats
Digital certificates
human factors
Identity & Access Management
Incident response
Intrusion management
Network security
Security tokens
Single sign-on
Web security
Under what circumstances may an organisation decide to have its own Certification Authority(CA) rather than purchasing certificates from a commercial CA and its implications? Thanks in Advance

Answer Wiki

Thanks. We'll let you know when a new response is added.

The bottom line is who the consumers of your certificates are. If all consumers are entities for which you can (securely) install the certificate of your CA in their list of trusted authorities, then you can use your own CA, otherwise, you need your certificates to be signed by an authority in the standard list(s) so that any client installing one knows it’s trustworthy.

Note that you can create a trusted authority. That is, your own CA but it’s certificate (and thus all others signed by it, indirectly) are trusted. This is a good comprimise if you are dealing with external entities but still want complete control of the cerificates you’re using.

Finally note that the most important thing about running your own CA is keeping it secure. If the machine or CA service is comprimised in any way you have to start over.

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Ttully
    It depends on what you will be using the certificate for. If it is just to authenticate internal users and servers, then you can use your own Enterprise CA. I recently set up Outlook Web Access and to enable https connections, it is necessary to purchase a commercial Certificate for your remote users.
    0 pointsBadges:
  • Atomas
    Check if you go with your own CA. There are some good DOCS to read.
    0 pointsBadges:
  • Fitzy216
    please ignore other replys you can use self signed certs fine and do not require a commercial cert for owa to work like others have responded the onl difference is users will be prompted with a cert warning when they attempt to log on but you could always install the cert in the trusted ca store negating this issue completely hope this helps
    0 pointsBadges:
  • Amigus
    Please do not ignore other replies. fitzy216's reply neglects to mention that while self-signed certificates "work" in that they can be used to establish an encrypted channel (privacy) they don't allow you verify that you're really talking to the server you think you are (integrity) unless of course the signer's CA cert is in the trusted store of all computers as he points out. If integrityf is important or if you can't install to the clients trusted authorities store the decision making criteria are a little more complex.
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: