I have a distributed application consisting of many components that communicate over TCP (for examle JMS) and HTTP. All components run on internal hardware, with internal IP addresses, and are not accessible to the public.
I want to make the communication secure using SSL. Does it make sense to purchase signed certificates from a well-known certificate authority? Or should I just use self-signed certs?
My understanding of the advantage of trusted certs is that the authority is an entity that can be trusted by the general public - but that is only an issue when the general public needs to be sure that the entity at a particular domain is who they say they are.
Therefore, in my case, where the same organization is responsible for the components at both ends of the communication, and everything in between, a publicly trusted authority would be pointless. In other words, if I generate and sign a certificate for my own server, I know that it's trustworthy. And no one from outside the organization will ever be asked to trust this certificate. That is my reasoning - am I correct, or is there some potential advantage to using certs from a known authority?
No – SSL certificates can no longer be used to secure your company's internal websites, intranets or IP address. This is because internal servers are vulnerable to 'man-in-the-middle' attacks, in which attackers will use a copy of the real certificate to intercept and eavesdrop on any form of online communication.
For internal LAN-only services, you can use self-signed certificates, but you have to ensure that the issuing CA server is well-protected from cybercriminals, and is located in a place that is not accessible by all the employees of your organization.
It's not necessary but it is more secure to use both. If you want to ensure your internet access is secure and private, use HTTPS and a VPN. HTTPS gives you end-to-end encryption, and a VPN encrypts data from your computer to the VPN server.
There is no need for you to use an external public CA for a closed community project. In many larger organisations they operate an internal PKI to issue certs for internal projects like this. An advantage of using a PKI is that you can setup a trust relationship between the various components based on a single securely distributed root certificate / trust anchor.
However, if the project allowed internal users to connect securely to an internal service via their web browser you may want to consider using a public CA issued cert. The alternative is to make sure that every browser that may need to connect to your service trusted your root cert; this is to prevent browser warning messages.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With