tags:

views:

191

answers:

3
+3  Q: 

SSL signed certificates for internal use

I have a distributed application consisting of many components that communicate over TCP (for examle JMS) and HTTP. All components run on internal hardware, with internal IP addresses, and are not accessible to the public.

I want to make the communication secure using SSL. Does it make sense to purchase signed certificates from a well-known certificate authority? Or should I just use self-signed certs?

My understanding of the advantage of trusted certs is that the authority is an entity that can be trusted by the general public - but that is only an issue when the general public needs to be sure that the entity at a particular domain is who they say they are.

Therefore, in my case, where the same organization is responsible for the components at both ends of the communication, and everything in between, a publicly trusted authority would be pointless. In other words, if I generate and sign a certificate for my own server, I know that it's trustworthy. And no one from outside the organization will ever be asked to trust this certificate. That is my reasoning - am I correct, or is there some potential advantage to using certs from a known authority?

A: 

I'd say it's reasonably safe, unless you think a ninja infiltrator is going to swap your server on you.

The 3rd party is there to make it harder to just 'up & generate' a new cert. Someone could re-create a self-signed cert on a new machine with the same details, it wouldn't be the same cert, you'd have to add an exception for it too, but your users probably wouldn't know the difference.

Aren  2010-04-20 15:22:08
That was not my understanding of trusted authorities. But I am a beginner at this stuff! I thought that the idea was that having a cert from a trusted authority allows you to persuade the general public that you can be trusted. The key point (no pun intended) would be that a payed-for cert is no harder to generate than a self-signed one - it's simply that it comes from someone that everybody trusts. So it's like the difference between making an ID card yourself and getting one from the Government. You can make a unique, unforgeable one yourself, but you can't expect anyone else to accept it?
 2010-04-20 15:27:48
To elaborate further, this answer covers the role of the CA:http://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified"Your web browser comes installed with the public keys of all of the major certificate authorities. It uses this public key to verify that the web server's certificate was indeed signed by the trusted certificate authority."In other words, the use of a trusted CA does not mean that the certificate has not been stolen, forged or spoofed - only that it was originally issued by the entity that the server claims it was issued by.
 2010-04-20 15:49:56
hop  2010-04-20 17:50:44
+1  A: 

There is no need for you to use an external public CA for a closed community project. In many larger organisations they operate an internal PKI to issue certs for internal projects like this. An advantage of using a PKI is that you can setup a trust relationship between the various components based on a single securely distributed root certificate / trust anchor.

However, if the project allowed internal users to connect securely to an internal service via their web browser you may want to consider using a public CA issued cert. The alternative is to make sure that every browser that may need to connect to your service trusted your root cert; this is to prevent browser warning messages.

bignum  2010-04-20 16:04:16
it is easy to include your own ca in your users' browsers with centralized management. therefor browser warnings are not a valid reason to waste money on a commercial ca.
hop  2010-04-20 17:53:51
@hop not always in a large organisation with a complex user base and heavy change control. In these environments, if you need to provide a secure service to browser users it may be cheaper and less problematic to simply get a public CA cert.
bignum  2010-04-21 07:03:37
@biffabacon: sounds like the kind of dysfunctional organization that would remove all commercial CAs out of paranoia in the first place. don't try to make up silly arguments that -- even if they were valid -- would only affect a tiny fraction of SO users. thank you.
hop  2010-04-21 11:35:36
@hop you need to get more real world experience; as a consultant I have visited many organisations that use public CA certs internally for this very reason - including several banks.
bignum  2010-04-21 11:45:14
@biffabacon: ad hominem? classy.
hop  2010-04-21 12:25:48
A: 

As long as your system is running inside your group and there are no plans to expand it (and plans do change, so keep that in mind), it is just fine to setup your own simple PKI infrastructure.

If you do end up expanding beyond your organization, all you need to do is distribute your root certificate to the parties you will be communicating. This gives actually a fine grained control to your partners how much trust they want to put in you vs the public CA infrastructure.

Nasko  2010-04-20 16:17:55

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL