Solved

Just want encryption. Do I need Server Cert?

Posted on 2003-11-12
11
625 Views
Last Modified: 2010-04-11
I have a web-based application on the Internet.  I want to secure the data transmission between web server and client's browser.

My web server support SSL on port 443.

Since obtain a Server Cert from CA need money, to save my wallet, is necessary to have a server cert for encrypting data over Internet? (or, how can I have a server cert freely & easy?)

Please advise.  Thanks.
0
Comment
Question by:saikit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
11 Comments
 
LVL 18

Assisted Solution

by:liddler
liddler earned 20 total points
ID: 9729762
A server cert is a way of saying CA definately says this secure server is you.  The cert doesn't make the traffic any more encrypted, it is about stopping other people spoofing your site
0
 
LVL 1

Expert Comment

by:ajenkins
ID: 9730552
The web page https://www.fortify.net/sslcheck.html will tell you what sort of SSL your web browser can support.  https://www.fortify.net/README_main.html#check explains what it actually does and other ways to verify what level of SSL connection you're getting.  (Ignore the guff on Netscape).

If you want a CA for your web site, check out http://slwww.epfl.ch/SIC/SL/CA/
or possibly http://www.entrust.com/freecerts/webcerts/ca_cert.htm
0
 
LVL 2

Accepted Solution

by:
Jason_Deckard earned 30 total points
ID: 9730817
saikit,

A server certificate is needed for SSL (HTTPS).  You can either purchase a certificate from a well-known Certificate Authority (CA), or you can create a self-signed certificate (you are the CA in this case).

The issuer of a certificate (the CA) must be trusted by the client in order for the SSL handshake to succeed.  Clients trust CAs by installing the CA's certificate (also known as a "Trusted Root Certificate") into their browser.  Popular browsers, such as IE, Netscape, and Konquerer, have many Trusted Root Certificates built into them.  This allows end-users to successfully negotiate HTTPS and other SSL sessions with websites that use certificates from the well-known CAs, such as Verisign and Entrust (plus many, many others).

The advantage of purchasing a certificate from Verisign (or other well-known CA) is your client's browsers will automatically trust your server certificate without any sort of intervention on their part.  The disadvantage is cost.  Certificates can cost hundreds or thousands of dollars, and you must renew them annually.

The advantage of creating a self-signed certificate is the cost savings.  The disadvantages are:  1) having to maintain your own CA.  2) having to convince your users to install your Trusted Root Certificate.  3) having to (in some cases) teach your users to install Trusted Root Certificates.

The choice to go with a self-signed certificate or one issued by a well-known CA is yours.  In the end, you must decide between spending more money or spending more time.

Please let us know if you have any further questions about SSL certificates.

Regards,
Jason Deckard
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 79

Expert Comment

by:lrmoore
ID: 9733420
Thawte is a much lower cost alternative CA is using IIS
http://www.thawte.com/ucgi/gothawte.cgi?a=e39570151217027000

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9734284
You might also consider a VPN for a limited audience if you're running a ms server or your router has the cabability.
0
 
LVL 9

Expert Comment

by:TooKoolKris
ID: 9736062
lmoore has you in the right direction if using IIS. Are you running Application Server?
0
 

Author Comment

by:saikit
ID: 9736725
My webserver is Apache.  If I don't have a server cert from public CA, will the client's browser prompt a dialog box about I don't have a good server cert?

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9737095
You could issue your own certificate
( see http://www.bigbiz.com/docs/CA.html )

The issue is "Does the client trust the certificate authority"
Normally when someone does business on the web, they can see that the issuer is Verisign, Thawte, etc... a concern that verified the identity of the certificate holder. Privately issued certificates are routinely used on intranets, as the client trusts the company they're working for.

You can get a public certificate for as little as $35.
You have to have a registered DNS name and the certificate is tied to that.
http://freessl.com/freessl/freessl.html
 
0
 

Author Comment

by:saikit
ID: 9737619
Dear Experts,

Thanks for the rich of info, I think I need to build my own CA.  May I know more: I just concern that how will end-users find the different between my own CA and well-known CA?

(Any dialog will be promoted? or May I have two URLs example about using private CA and well-known CA?)
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9738634
Clients must import your root certificate. The root certificates of the major CA's are usually already present in your browser's distribution files. You may notice they expire from time to time and new ones have to be installed.
The normal way to do this would be to put it on the server at port 80 and point them to it.

http://sapiens.wustl.edu/~sysmain/info/openssl/openssl_ca.html

Here's an example of a small CA's web page for doing this:
http://www.nextj.com/security.html



and a howto for openssl:
http://www.grennan.com/CA-HOWTO-1.html
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9880132
did these comments answer your question?
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Let's recap what we learned from yesterday's Skyport Systems webinar.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question