Under what circumstances may an organisation decide to have ts own certification authority rather than purchasing certificates from a commercial CA and what are the implications?
- Follow via:
- RSS
- Email Alert
Question
0
Votes
certificate authority
27th Mar 2009
Answers (3)
0
Votes
well...
In many cases an organization may wish to use certificates that are only relevant for the organization and don't need to be valid for the internet as a whole.
For instance the organization may require that users or computers have a certificate in order to log on using 802.1x authentication. In these cases it's much simpler and cost effective to issue your own certificates rather than buying certificates from a commercial CA since the certificates only need to be recognized by the organizations own systems.
For instance the organization may require that users or computers have a certificate in order to log on using 802.1x authentication. In these cases it's much simpler and cost effective to issue your own certificates rather than buying certificates from a commercial CA since the certificates only need to be recognized by the organizations own systems.
27th Mar 2009
0
Votes
We just did this
Is this a school question or something?
Difference is, no one in the external internet will necessarily trust a self-signed certificate. Great for in-house stuff, as Kjell noted.
Difference is, no one in the external internet will necessarily trust a self-signed certificate. Great for in-house stuff, as Kjell noted.
27th Mar 2009
0
Votes
I think the point is you don't need what you'd be paying for.
At the risk of redundantly repeating what's already been said, you pay a CA like Verisign to give you a certificate that people who don't know you (i.e. your company) to trust you will accept.
Obviously for internal organisational matters you trust yourselves
I created a self-signed certificate for a website of ours that's available over the public internet through SSL but that only company staff have authentication details for.
The implications, it's worth noting, are that most browsers ship having been preset to automatically trust certificates from the major CAs - so when you connect to Amazon to make a payment, the lock appears, the protocol changes to 'HTTPS' and you don't notice anything else. If your certificate is self-signed then anyone who's expected to accept it will have to do so, as their browser will flag it as not being listed in their internal DB.
It's a lot more obvious, in other words, and requires explicit acceptance from the user.
Obviously for internal organisational matters you trust yourselves
I created a self-signed certificate for a website of ours that's available over the public internet through SSL but that only company staff have authentication details for.
The implications, it's worth noting, are that most browsers ship having been preset to automatically trust certificates from the major CAs - so when you connect to Amazon to make a payment, the lock appears, the protocol changes to 'HTTPS' and you don't notice anything else. If your certificate is self-signed then anyone who's expected to accept it will have to do so, as their browser will flag it as not being listed in their internal DB.
It's a lot more obvious, in other words, and requires explicit acceptance from the user.
3rd Apr 2009
