Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Request a certificate from the certificate authority

Phishing question.

I have a tcp server application that uses certificates for tls/ssl and stored in the pkcs#12 file. Assuming a CA is installed somewhere on the network and is accessible, would it be normal practice to request a ssl certificate from the CA (once), programmatically (C#) and write it out to the pkcs#12 file for use by the server.

Would that be normal practice, or would the more likely scenario be a case of buying the certificate from a CA like Thawte or Versign etc, specically for that customer, and creating the pkcs#12 file beforehand, and installing as part of installation process.

like image 496
scope_creep Avatar asked Apr 04 '12 14:04

scope_creep


1 Answers

I think this is a case where the argument can go either way.

Programmatic certificate requests and signing have their merits if you need to manage a large number of sites, at the loss of human-mediated validation if something goes horribly wrong (for example, if someone hijacks or listens in on your initial request). At some point, a trust decision needs to be made, either programmatically, or as a human operator.

This paper by Bruce Schneier goes into more detail, discussing potential risks to the CA architecture underpinning the trust decisions for PKI cryptography. I believe this covers many cases that are pertinent to your issue and your design that you may not have, and should, consider.

like image 73
MrGomez Avatar answered Oct 05 '22 02:10

MrGomez