Solved

Self-signed certificates

Posted on 2014-11-13
2
112 Views
Last Modified: 2014-12-01
Can someone explain to me about self-signed certificates.

I was told it is just used internally and it is cheaper than SSL.

I thought it is simply used internally on a Microsoft environment, for logons and accessing resources on the network.

Thanks
0
Comment
Question by:techgenious
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 23

Accepted Solution

by:
Michael Fowler earned 500 total points
ID: 40441731
Wikipedia has a good entry on this
http://en.wikipedia.org/wiki/Self-signed_certificate

It is worth noting that most browser will display a warning when encountering a self signed certificate
https://www.globalsign.com/ssl-information-center/dangers-of-self-signed-certificates.html

and finally here is another link
http://webdesign.about.com/od/ssl/a/signed_v_selfsi.htm
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40441811
Self-signed certificates are generally certificates generated by the device/machine that needs it. Many firewalls will generate a "self-signed" certificate on first boot-up, for example. They are not signed by any CA, so establishing a chain of trust is not scalable at all. They are usually used for test labs only because of this limitation.

Many people also refer to internally issues certificates as "self-signed" although this terminology is abused and inaccurate. For larger organizations, it is perfectly normal to stand up an internal CA and issue certificates for clients, servers, users, and more. Any machine that trusts the CA will trust all certificates issued to is, so this is far more scalable. But external machines will still throw an error since they don't trust the CA. So you'll often see this type of deployment for resources that are internal to a network (not necessarily Microsoft) where centralized policies can push out the CA's root certificate and establish trust. Deploying an enterprise (not guest) WiFi with WPA2-Enterprise, for example. Or signing internal LOB applications, updates, various management agents, etc.

The benefit of this over a wildcard public cert is that individual certificates can be revoked as needed. Have a laptop stolen? Instead of revoking the wildcard cert, you revoke the certificate used to authenticate that laptop on the corporate wireless network. Far less intrusive and far more scalable.

Then, there are public certs, which I've never heard anybody refer to as self-signed. The only difference between these and internally signed certificates is that a public CA has paid companies money and passed certificates so their root certs are pre-installed in browsers and are trusted. That is why, when you visit a site that has a certificate from GoDaddy, you don't have to install the GoDaddy root cert (or starfield, or whatever.) It behaves the same otherwise. It still checks the chain for trust. Just the root is already trusted.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question