| Author |
Message
|
| angka |
 Posted: Thu Jul 05, 2007 12:54 am Post subject: Self signed and CA signed |
 |
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
Hi,
What are the advantages to use CA signed cert compare to self signed?
I can only think of one which is cert renewal dun need the other connected system to be involved.
Thanks. |
|
| Back to top |
|
 |
| Mr Butcher |
| Posted: Thu Jul 05, 2007 1:33 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
yes, but depending on the number of channels (or different dustomers) this can really be a big advantage.
on the one hand you have cost savings if you use self singed certificates, on the other hand you have less administration work if you use CA signed certs. whatever is best for you.
we agreed only to use CA signed certs with your MQ connections to customers because we do not want to import and re-new all the customers sel-sign-root-CAs certs.
_________________
Regards, Butcher |
|
| Back to top |
|
|
| angka |
| Posted: Thu Jul 05, 2007 3:07 am Post subject: |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
Hi,
Any security issue?? I can't think of any..
Thanks |
|
| Back to top |
|
|
| Mr Butcher |
| Posted: Thu Jul 05, 2007 3:59 am Post subject: |
|
|
Padawan
Joined: 23 May 2005
Posts: 1716
|
i can. it depends how much security you set up at your end.
imagine i am your customer, and you accept my self-signed certificates, which means the public key of my signer ca (root ca)? is in your key storage.
now every certificate i sign with my CA is valid for you (theoretically).
lets assume i know other customers that connect to you. from the customers name it is not a big problem to find out about the distinguised name in the certificate they use to connect to you.
now i create my own certificate using their name, sign it, am i able to connect to you? i think so.
what happens if i am intruded and my root CA is stolen? Can someone do the same on his system and connect to you? i think so.
This does not mean things like this can not happen when you use "official" CAs, but - to get a signed certificate from them you have to give some official information about your company (in German its Handlesregister, which means you company must be registered somewhere), must have procura and so on. So the signed certificate from official CA is more reliable (and trustable), a self signed certificate can be anything.
A SSL guru may explain better (and of course will know more issues about security), but thats what i think from my basic SSL knowledge......
_________________
Regards, Butcher |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Thu Jul 05, 2007 5:17 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
I would say it this way:
DEV and test environment -> use self-signed cert.
PRD environment -> use standard PKI with CA infastructure.
_________________
Marcin |
|
| Back to top |
|
|
| angka |
| Posted: Thu Jul 05, 2007 11:52 pm Post subject: |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
lets assume i know other customers that connect to you. from the customers name it is not a big problem to find out about the distinguised name in the certificate they use to connect to you. now i create my own certificate using their name, sign it, am i able to connect to you? i think so.
But I shld be able overcome this by having 2 way authentication right?
I know the best practice is to have a CA signed but it cost money.. =)
Thanks all. |
|
| Back to top |
|
|
| marcin.kasinski |
| Posted: Fri Jul 06, 2007 12:05 am Post subject: |
|
|
Sentinel
Joined: 21 Dec 2004
Posts: 850
Location: Poland / Warsaw
|
| angka wrote: |
But I shld be able overcome this by having 2 way authentication right?
|
Right.
| angka wrote: |
I know the best practice is to have a CA signed but it cost money.. =)
Thanks all. |
Please...
Dont save money on certs.
_________________
Marcin |
|
| Back to top |
|
|
| angka |
| Posted: Fri Jul 06, 2007 12:30 am Post subject: |
|
|
Chevalier
Joined: 20 Sep 2005
Posts: 406
|
Hi,
Thanks. I need to present to user and they will ask... hopefully they accept my reason... |
|
| Back to top |
|
|
|
|
