Digital Certificate Authority (CA)

In cryptography, a Certificate Authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.

Public CA

Public CA are entities who issues SSL certificate in the name of a verifiable public web domains.  Well known Public CAs are Comodo, Symantec, GoDaddy and GlobalSign.  Depending upon the type of certificate issued, the level of validation steps performed by the Public CA on the web domain varies.

The Domain Validated SSL Certificate validates the domain is registered and someone with admin rights is aware of and approves the certificate request.  The validation process is normally performed via email or DNS. The owner is requested to prove admin right by receiving and confirming an email sent to an administrative email for the domain, or by configuring some specific DNS records for the domain.

The Organization Validated SSL Certificate (OV certificate) validates the domain ownership, plus organization information included in the certificate such as name, city, state and country.  The validation process is similar to the domain validated certificate, but it requires additional documentation to certify the company identity.

The Extended Validation SSL Certificate (EV certificate) requires an extended validation of the business. It validates domain ownership and organization information, plus the legal existence of the organization. It also validates that the organization is aware of the SSL certificate request and approves it.  The validation requires documentation to certify the company identity plus a set of additional steps and checks.

Public CA’s however are deprecated from issuing certificates for internal/intranet web sites and servers.  Internal servers should use certificates provided by an Internal CA or use a self-signed certificate.

Internal CA

Establishing an Internal CA is the way to go for enabling seamless digital identity to the server programs, client programs, Active Directory Objects, etc, in your organization.  An Internal CA will have a root certificate that is trusted by all the objects in the organization.  The root certificate will be used to sign individual certificates allocated to each object within the organization. 

Self-Signed Certificates

If your organization is not large enough to justify the establishment of an Internal CA, you could go down the route of issuing self-signed certificates for establishing internal SSL communication.  When party A tries to talk to party B, B should trust A’s self-signed certificate and vice versa.  How this trust is established, depends on the platform on which A and B exists.

References:

http://www.davidpashley.com/articles/becoming-a-x-509-certificate-authority/

http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

http://security.stackexchange.com/questions/82884/clarifying-self-signed-certificates-vs-root-certificate-authority

http://stackoverflow.com/questions/292732/self-signed-ssl-cert-or-ca

http://stackoverflow.com/questions/20894868/are-certificates-useful-for-intranet-ssl

http://stackoverflow.com/questions/4024393/difference-between-self-signed-ca-and-self-signed-certificate

https://www.digicert.com/internal-names.htm

https://blog.secureideas.com/2013/06/ssl-certificates-setting-up-and.html

https://technet.microsoft.com/en-us/library/cc700805.aspx

Digital Certificate Authority (CA)

Leave a Reply

Your email address will not be published. Required fields are marked *