Questions

certificate authority

+
0 Votes
Locked

certificate authority

rollinsadjei
Under what circumstances may an organisation decide to have ts own certification authority rather than purchasing certificates from a commercial CA and what are the implications?
  • +
    0 Votes
    Kjell_Andorsen

    In many cases an organization may wish to use certificates that are only relevant for the organization and don't need to be valid for the internet as a whole.

    For instance the organization may require that users or computers have a certificate in order to log on using 802.1x authentication. In these cases it's much simpler and cost effective to issue your own certificates rather than buying certificates from a commercial CA since the certificates only need to be recognized by the organizations own systems.

    +
    0 Votes
    seanferd

    Is this a school question or something?

    Difference is, no one in the external internet will necessarily trust a self-signed certificate. Great for in-house stuff, as Kjell noted.

    +
    0 Votes
    darpoke

    At the risk of redundantly repeating what's already been said, you pay a CA like Verisign to give you a certificate that people who don't know you (i.e. your company) to trust you will accept.

    Obviously for internal organisational matters you trust yourselves :-)

    I created a self-signed certificate for a website of ours that's available over the public internet through SSL but that only company staff have authentication details for.

    The implications, it's worth noting, are that most browsers ship having been preset to automatically trust certificates from the major CAs - so when you connect to Amazon to make a payment, the lock appears, the protocol changes to 'HTTPS' and you don't notice anything else. If your certificate is self-signed then anyone who's expected to accept it will have to do so, as their browser will flag it as not being listed in their internal DB.

    It's a lot more obvious, in other words, and requires explicit acceptance from the user.

  • +
    0 Votes
    Kjell_Andorsen

    In many cases an organization may wish to use certificates that are only relevant for the organization and don't need to be valid for the internet as a whole.

    For instance the organization may require that users or computers have a certificate in order to log on using 802.1x authentication. In these cases it's much simpler and cost effective to issue your own certificates rather than buying certificates from a commercial CA since the certificates only need to be recognized by the organizations own systems.

    +
    0 Votes
    seanferd

    Is this a school question or something?

    Difference is, no one in the external internet will necessarily trust a self-signed certificate. Great for in-house stuff, as Kjell noted.

    +
    0 Votes
    darpoke

    At the risk of redundantly repeating what's already been said, you pay a CA like Verisign to give you a certificate that people who don't know you (i.e. your company) to trust you will accept.

    Obviously for internal organisational matters you trust yourselves :-)

    I created a self-signed certificate for a website of ours that's available over the public internet through SSL but that only company staff have authentication details for.

    The implications, it's worth noting, are that most browsers ship having been preset to automatically trust certificates from the major CAs - so when you connect to Amazon to make a payment, the lock appears, the protocol changes to 'HTTPS' and you don't notice anything else. If your certificate is self-signed then anyone who's expected to accept it will have to do so, as their browser will flag it as not being listed in their internal DB.

    It's a lot more obvious, in other words, and requires explicit acceptance from the user.