Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is using a certificate, made with the MakeCert tool, in production bad?

I'm currently working on a project where I've created a CA cert and a couple of child certs to that CA cert. The certificates are going to be used to protect inter-server communication in a SAMLV2 setup so I'm going to have a cert for the identity provider and a cert for the service provider. The user/browser isn't going to validate the certs so it's only the servers that need to trust my custom CA. My cert tree looks something like this:

  • CustomRootCACert
    • CustomIdentityProviderCert
    • CustomServiceProviderCert

Now, I've heard a lot of people saying it's bad to use a home-made certificate in production. But when I ask why, people usually just mutters something about security but never go into the details. Are there any technical reasons not to use my own certs in production? I can't think of any... Of course I realize that if I lose control of my root cert anyone could start creating all sorts of certificates. But in this case they would also have to install the certificates on my servers and configure the saml application to use them. Only then could they start to generate fake saml requests and responses to my applications.

If this is the only problem, this solution (using home-made certs in production) would still be better than the login setup we have today.

like image 825
JohannesH Avatar asked Feb 09 '09 11:02

JohannesH


People also ask

Where is MakeCert certificate made?

The MakeCert tool creates an X. 509 certificate, signed by the test root key or other specified key, that binds your name to the public part of the key pair. The certificate is saved to a file, a system certificate store, or both.

What are certificates in computers?

Also known as computer certificates,machine certificates (as the name implies) give the system—instead of the user—the capability to do something out of the ordinary. The main purpose for machine certificates is authentication, both client-side and server-side.


1 Answers

Ask yourself what a certificate proves.

If you get a certificate issued by a reputable CA, then it proves that the certificate holder has verified their identity to that CA, to their standards of proof.

If you get a certificate issued by an ad-hoc CA, then it proves that someone knows how to make certificates.

If you control both ends of the conversation, I think it's fine to have your own private CA for the purpose. You would trust your own CA. You can probably make this very secure indeed (by keeping the CA private key in a safe place offline, and making signing a sneakernet exercise).

The difficulty would be if you needed to persuade anyone else to trust your CA. Why should they? You would need to convince them that it was safe to do so, and they would have the admin overhead of adding your CA certificate to their clients.

like image 128
slim Avatar answered Nov 09 '22 00:11

slim