views:

191

answers:

3

I have a distributed application consisting of many components that communicate over TCP (for examle JMS) and HTTP. All components run on internal hardware, with internal IP addresses, and are not accessible to the public.

I want to make the communication secure using SSL. Does it make sense to purchase signed certificates from a well-known certificate authority? Or should I just use self-signed certs?

My understanding of the advantage of trusted certs is that the authority is an entity that can be trusted by the general public - but that is only an issue when the general public needs to be sure that the entity at a particular domain is who they say they are.

Therefore, in my case, where the same organization is responsible for the components at both ends of the communication, and everything in between, a publicly trusted authority would be pointless. In other words, if I generate and sign a certificate for my own server, I know that it's trustworthy. And no one from outside the organization will ever be asked to trust this certificate. That is my reasoning - am I correct, or is there some potential advantage to using certs from a known authority?

A: 

I'd say it's reasonably safe, unless you think a ninja infiltrator is going to swap your server on you.

The 3rd party is there to make it harder to just 'up & generate' a new cert. Someone could re-create a self-signed cert on a new machine with the same details, it wouldn't be the same cert, you'd have to add an exception for it too, but your users probably wouldn't know the difference.

Aren
That was not my understanding of trusted authorities. But I am a beginner at this stuff! I thought that the idea was that having a cert from a trusted authority allows you to persuade the general public that you can be trusted. The key point (no pun intended) would be that a payed-for cert is no harder to generate than a self-signed one - it's simply that it comes from someone that everybody trusts. So it's like the difference between making an ID card yourself and getting one from the Government. You can make a unique, unforgeable one yourself, but you can't expect anyone else to accept it?
To elaborate further, this answer covers the role of the CA:http://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified"Your web browser comes installed with the public keys of all of the major certificate authorities. It uses this public key to verify that the web server's certificate was indeed signed by the trusted certificate authority."In other words, the use of a trusted CA does not mean that the certificate has not been stolen, forged or spoofed - only that it was originally issued by the entity that the server claims it was issued by.
hop
+1  A: 

There is no need for you to use an external public CA for a closed community project. In many larger organisations they operate an internal PKI to issue certs for internal projects like this. An advantage of using a PKI is that you can setup a trust relationship between the various components based on a single securely distributed root certificate / trust anchor.

However, if the project allowed internal users to connect securely to an internal service via their web browser you may want to consider using a public CA issued cert. The alternative is to make sure that every browser that may need to connect to your service trusted your root cert; this is to prevent browser warning messages.

bignum
it is easy to include your own ca in your users' browsers with centralized management. therefor browser warnings are not a valid reason to waste money on a commercial ca.
hop
@hop not always in a large organisation with a complex user base and heavy change control. In these environments, if you need to provide a secure service to browser users it may be cheaper and less problematic to simply get a public CA cert.
bignum
@biffabacon: sounds like the kind of dysfunctional organization that would remove all commercial CAs out of paranoia in the first place. don't try to make up silly arguments that -- even if they were valid -- would only affect a tiny fraction of SO users. thank you.
hop
@hop you need to get more real world experience; as a consultant I have visited many organisations that use public CA certs internally for this very reason - including several banks.
bignum
@biffabacon: ad hominem? classy.
hop
A: 

As long as your system is running inside your group and there are no plans to expand it (and plans do change, so keep that in mind), it is just fine to setup your own simple PKI infrastructure.

If you do end up expanding beyond your organization, all you need to do is distribute your root certificate to the parties you will be communicating. This gives actually a fine grained control to your partners how much trust they want to put in you vs the public CA infrastructure.

Nasko