Solved

Self-signed certificates

Posted on 2014-11-13
2
98 Views
Last Modified: 2014-12-01
Can someone explain to me about self-signed certificates.

I was told it is just used internally and it is cheaper than SSL.

I thought it is simply used internally on a Microsoft environment, for logons and accessing resources on the network.

Thanks
0
Comment
Question by:techgenious
2 Comments
 
LVL 23

Accepted Solution

by:
Michael74 earned 500 total points
ID: 40441731
Wikipedia has a good entry on this
http://en.wikipedia.org/wiki/Self-signed_certificate

It is worth noting that most browser will display a warning when encountering a self signed certificate
https://www.globalsign.com/ssl-information-center/dangers-of-self-signed-certificates.html

and finally here is another link
http://webdesign.about.com/od/ssl/a/signed_v_selfsi.htm
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40441811
Self-signed certificates are generally certificates generated by the device/machine that needs it. Many firewalls will generate a "self-signed" certificate on first boot-up, for example. They are not signed by any CA, so establishing a chain of trust is not scalable at all. They are usually used for test labs only because of this limitation.

Many people also refer to internally issues certificates as "self-signed" although this terminology is abused and inaccurate. For larger organizations, it is perfectly normal to stand up an internal CA and issue certificates for clients, servers, users, and more. Any machine that trusts the CA will trust all certificates issued to is, so this is far more scalable. But external machines will still throw an error since they don't trust the CA. So you'll often see this type of deployment for resources that are internal to a network (not necessarily Microsoft) where centralized policies can push out the CA's root certificate and establish trust. Deploying an enterprise (not guest) WiFi with WPA2-Enterprise, for example. Or signing internal LOB applications, updates, various management agents, etc.

The benefit of this over a wildcard public cert is that individual certificates can be revoked as needed. Have a laptop stolen? Instead of revoking the wildcard cert, you revoke the certificate used to authenticate that laptop on the corporate wireless network. Far less intrusive and far more scalable.

Then, there are public certs, which I've never heard anybody refer to as self-signed. The only difference between these and internally signed certificates is that a public CA has paid companies money and passed certificates so their root certs are pre-installed in browsers and are trusted. That is why, when you visit a site that has a certificate from GoDaddy, you don't have to install the GoDaddy root cert (or starfield, or whatever.) It behaves the same otherwise. It still checks the chain for trust. Just the root is already trusted.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now