SSL signed certificates for internal use

Posted by rogueprocess on Stack Overflow See other posts from Stack Overflow or by rogueprocess
Published on 2010-04-20T15:10:31Z Indexed on 2010/04/20 15:13 UTC
Read the original article Hit count: 287

Filed under:

ssl

|

certificates

|

trusted

I have a distributed application consisting of many components that communicate over TCP (for examle JMS) and HTTP. All components run on internal hardware, with internal IP addresses, and are not accessible to the public.

I want to make the communication secure using SSL. Does it make sense to purchase signed certificates from a well-known certificate authority? Or should I just use self-signed certs?

My understanding of the advantage of trusted certs is that the authority is an entity that can be trusted by the general public - but that is only an issue when the general public needs to be sure that the entity at a particular domain is who they say they are.

Therefore, in my case, where the same organization is responsible for the components at both ends of the communication, and everything in between, a publicly trusted authority would be pointless. In other words, if I generate and sign a certificate for my own server, I know that it's trustworthy. And no one from outside the organization will ever be asked to trust this certificate. That is my reasoning - am I correct, or is there some potential advantage to using certs from a known authority?

© Stack Overflow or respective owner

Related posts about ssl

Plesk SSL Certificate (Default cert when SSL enabled, CORRECT cert when SSL is disabled)

as seen on Server Fault - Search for 'Server Fault'
I'm running Plesk 8.6.0: I have an SSL cert installed through Plesk's admin interface. But I have a bit of an issue: When I enabled SSL for the site, and selected my cert, then restart httpd, Plesk defaults to using my self-signed default certificate. Conversely, when I disable SSL support for the… >>> More
apache renew ssl not working [on hold]

as seen on Server Fault - Search for 'Server Fault'
Downloaded a new ssl cert from go daddy and installed the cert on apache2 server put the cert in /etc/ssl/certs/ folder put the gd_bundle.crt in the /etc/ssl/ folder private key is in /etc/ssl/private/private.key I just replaced the original files with the new files, did not replace the private… >>> More
Cant connect to mysql using self signed SSL certificate

as seen on Server Fault - Search for 'Server Fault'
After creating a self-signed SSL certificate, I have configured my remote mysqld to use them (and ssl is enabled) I ssh into my remote server, and try connecting to its own mysqld using ssl (mysql server is 5.5.25).. ~> mysql -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client… >>> More
How to log invalid client SSL certificate in SSL

as seen on Server Fault - Search for 'Server Fault'
I have a IIS web site which requires client certificate. I have turned off CRL checking. The client is unable to access the web site - he gets 403.17 (certificate expired) error. I would like to log the certificate he is using, becaue I think he is using the wrong certificate. Is there a way to… >>> More
Mixing SSL and non-SSL content in an Apache2 virtual host

as seen on Server Fault - Search for 'Server Fault'
I have a (hopefully) common scenario for one of my sites that I just can't seem to figure out how to deploy correctly. I have the following site and directories for example.com: These need to require SSL: /var/www/example.com/admin /var/www/example.com/order These need to be non-SSL: /var/www/example… >>> More

Related posts about certificates

Clearing Java certificates cache (force reload certificates)

as seen on Server Fault - Search for 'Server Fault'
A simple question here. One application gave me this exception when trying to access a website with a expired certificate: java.security.cert.CertificateExpiredException So, I renewed the certificated from the website machine and restarted it. When I try to access it from Firefox or Chrome it will… >>> More
SSL certificates and types for securing your websites and applications

as seen on Server Fault - Search for 'Server Fault'
Need to share few information regarding SSL certificates and there types, which SSL certificates are widely used etc. There are several SSL certificates available in the market today inorder to secure your domains, multiple subdomains, your applications and code too. Few of the details are mentioned… >>> More
ca-certificates-java fails to install

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I use a VPS with Ubuntu Server 10.10. I want to use Jetty and run the command sudo apt-get install jetty but it fails because the installation encounted errors while processing ca-certificates-java. I have tried to install the failed package with: sudo apt-get install ca-certificates-java How can… >>> More
apport-collect fails with "certificate verify failed" when trying to report a bug on launchpad

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am trying to report a bug but I get root@beagle:/usr/lib/python2.7/dist-packages/apport# apport-collect <bug_id> ERROR: connecting to Launchpad failed: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed You can reset the credentials by… >>> More
Hot to get XChat to trust CA certificate?

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I have created an SSL certificate authority including a sub-authority to issue certificates. I have copied the root certificate to /usr/share/ca-certificates/extra and added it to /etc/ca-certificates, then ran dpkg-reconfigure ca-certificates and update-ca-certificates. After it said "Adding debian:… >>> More