Avatar of minniejp
minniejp
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Internal SSL cert generator

Hi, I wanted to ask what the risks are (if any) and benefits (if any) of having your own internal cert server , rather than purchasing from a third party?
SSL / HTTPS

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon
Sam Jacobs

There are no risks per se of using an internally generated certificate - just the inconvenience of needing to distribute the internal CA's root certificate to anyone who will be connecting (or their browser will throw errors/warnings).

On the pro side, you might say that it is a bit *more* secure than a 3rd party certificate, as only those to whom you have distributed the CA root will securely connect without errors/warnings.
ASKER CERTIFIED SOLUTION
Dr. Klahn

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
David Favor

Alternative: Use free https://LetsEncrypt.org certs to avoid cost + problems with self-signed certs.
David Johnson, CD

An internal CA generates the same bits that a commercial CA does. The difference is does the third party trust the CA.. There are a few hundred or more trusted root certificate providers in every computers certificate store.  Your root CA will not be one of these. A public root CA must follow specific rules and policies when issuing certificates  Your internal CA may not even have a published policy. Symantec violated the rules and was kicked out of the Root Certificate Authorities. Digicert bought their assets.

A Certificate is all about trust. I'm not happy that browsers have depreciated the EV (Extended Validation) certificate green bar so an EV Cert is almost worthless or at the same value as a Domain Validated Certificate.
Your help has saved me hundreds of hours of internet surfing.
fblack61
minniejp

ASKER
many thanks for all for your input.
David Favor

You're welcome!