Manoj Srivastava: Manoj: Fighting FUD: Working with openssl
Unfortunately, there is so much FUD associated with doing your
own certificates, either based on how complex the operation is
(which led to my previous supervisor insisting I use something like
tinyca
), and now to my employer succumbing to the FUD
and shelling out several hundreds, perhaps several thousands, of
dollars a year for something we could well have handled in
house.
Public key infrastructure, in the form of the X509
standard, is the underpinning of most of the secured communications
over the net these days. The big winner in the transport
protocols, TLS
, and its predecessor, SSL
,
support X509
certificates. There are several ways of
getting your own services their own X509
certs; one of
which I am exploring below.
One may, or course, opt to get a commercially signed
certificate, and various companies are eager to do just that for
you. They also charge about $400 per annum per certificate for the
privilege of doing so. While there is some marginal benefit of
doing so (some web browsers come with the commercial public
certificate built in, allowing for an out of band distribution of
the public cert), the benefit accrued is in the order or pennies,
in my opinion, not hundreds of dollars, unless you are providing
banking or retail services, where the end users might be justified
in being paranoid.
Why is there so much FUD your own certificates? Especially about
how hard it is do to your own? As you can see below, it only takes
three commands you have to master in order to set up your own
private certifying authority, and sign your own certificates. The
only marginal issue is that the user needs to verify your
certificate out of band (if, really, they want to bother). Most
people just accept the certificate, in my experience.
The sole benefit that commercial entities provide is that they
verify the identity of the person asking for the certificate, with
varying degrees of diligence. For a Class 1 cert the CA usually
just verifies that the email address of the requester was
confirmed. For $400/year. For a Class two cert, they look up the
company in a credit bureau records. A class 3 certs does an ID
check with a notary public present, or a government issued ID.
So, a class 3 cert is somewhat less diligent than becoming a
Debian developer. Or getting your key signed at a Debian
conference. As to the security aspects, or wondering whether to
trust the information present on a designated web site, I have no
idea how it helps verify any of those things in any way.
So the web site is run by a person with a government provided
ID, and who has a few hundred dollars to burn. So what?
Me, I just sign my own certificates. And I think most small
business web sites and mail servers are perfectly well served by
using their own certificates. And there are just three simple
commands that enable them to do this, in the Linux world.
So what are these three commands?
Gory
practical details and recipes hidden here
In conclusion, creating your own certifying authority is
trivial, and certainly not worth several hundreds of dollars every
year, and the functionality provided is identical.