All geek questions in one place

Any real disadvantage of using self-public certificates when working with well-known agents?

I am setting up a web service that will be used only by a limited number (<100) of known agents (business partners, etc.).

Since I am not a public person, am I facing any real flaw with the use of self-testing certificates, and not with a much more expensive way to use a well-known CA?

Edit: I have to clarify that the main goal we hope to get out of certificates is to fulfill the second factor in two-factor authentication (password for something, X.509 certificate for something)

+4
source share
3 answers

There is no real flaw, but in these circumstances it is easier to use a private CA. This private CA has a self-signed certificate and permits everything else in your closed world. Write down the policy (you know, on a piece of paper) who signs your certificate and how you are going to do the subscription, and you will work as the "real" CAs do it.

But if there are external business partners, it may be easier to just use a regular CA. You can get service certificates, signed very little, so cheap skiing on them is simply not worth it. This only becomes a problem when you start to want to do things like delegated authority and the like; at this point you want to start reading about OAuth and FOAF + SSL . And maybe other things; this is a deep rabbit hole.

+5
source

With a self-signed certificate, users will be warned that the browser does not trust the browser until they manually add the signing certificate to their certificate cache, or they will have to click to accept the fact that the certificate may be unreliable.

With a well-known CA, such as Verisign, the signature certificate will usually be pre-installed on their PC, so the user will not receive an invitation

Also, security considerations (from Wikipedia - did not meet this yourself): "Self-signed certificates cannot (by nature) be canceled, which can allow an attacker who has already gained access to monitoring and entering data into the connection to hide his identity if the private key was "On the other hand, CAs have the ability to revoke a compromised certificate, which prevents its further use."

+1
source

I would think that most security-conscious people would be embarrassed to import some guy root certificate. Hell, I have certificates that I created MYSELF that I don't want to import. And a lot of software will refuse to deal with a server whose certificate is not issued by a CA that it (or the OS) trusts.

Seriously, check out http://www.startssl.com . They offer free certificates, which seem to be very well supported by most common browsers and OS. This is much easier than even trying to tell people how to install a root certificate.

0
source

Source: https://habr.com/ru/post/1311284/

More articles:


All Articles