Re: Acceptability Of Self-Sign SSL And Client Certificates

From: "Ray" <to@xxxxxxxxxxxxxx>
Date: Wed, 27 Jun 2007 22:26:00 -0400

If these are not publicly accessible servers and the only people you have to
worry about are your customers, how are you going to get your root
certificate on their browsers without causing them a lot of aggravation?

If there is a publicly accessible portal page, what is to prevent me from
creating an identical certificate and spoofing your site?

Personally, I would think you're cheaping out but a lot of other companies
do it. I would definitely use a real code-signing certificate at a minimum.
They are not that expensive.

Ray

"Andrew Hayes" <AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:45BF59AF-ACBD-4952-BE0D-BB383752AFCA@xxxxxxxxxxxxxxxx

Normally you would request an SSL certificate from a trusted online root
CA,
such as C&W, Verisign, Twawte or any of those listed under Certificates in
IE.

As a company specializing in SaaS we have several secure web servers and
intend to add many more, so we would like to be able to issue our own
server
certificates for SSL, as well as the client certificates needed to access
our
services, and in some cases we digitially sign certain ActiveX components
needed for particular functionality.

What is the general feeling about this in the industry?

Would you, as a prospective customer, think twice about accessing a secure
website where both the server and client certificates were issued by the
company that owns that website?

Or would you think that since you would be signing a contract for
services,
including NDA's and SLA's, that you would trust certificates issued by the
company you are contracting with?

Follow-Ups:
- Re: Acceptability Of Self-Sign SSL And Client Certificates
  - From: Andrew Hayes

Prev by Date: Re: IE 7 Product Key Email
Next by Date: Re: IE 7 Product Key Email
Previous by thread: Re: controlling deleting of files with NTFS
Next by thread: Re: Acceptability Of Self-Sign SSL And Client Certificates
Index(es):
- Date
- Thread

Relevant Pages

Unable to install certificates and unable to patch
... We have three terminal servers that we are not able to install MS ... Timestamping CA" certificates. ... When specify it to put them into the Trusted Root Certificate store I get ...
(microsoft.public.windows.server.general)
Terminal servers missing required certificates
... We have three terminal servers that we are not able to install MS ... Timestamping CA" certificates. ... When specify it to put them into the Trusted Root Certificate store I get ...
(microsoft.public.security)
Re: Multiple web hosts and SSL
... It is possible to create a "wildcard" cert using the name *.domain.com ... though there may be some limitations on which browsers [or servers?] can use ... packs had problems with wildcard certs, until service pack 1 or later was ... The price is not the same as non-wildcard certificates... ...
(microsoft.public.inetserver.iis.security)
Re: Terminal Services + IPsec using certificates?
... protect any data exchanged between client and server. ... have to manually set Encryption level to high. ... If you decide to use certificates for IPSec each computer would get it's own ... > of security around the servers. ...
(microsoft.public.win2000.security)
Re: Terminal servers missing required certificates
... Try logging on as a "local" administrator on those servers. ... trusted root certificate authorities/certificates. ... select all tasks - import and try to import the certificates that way. ... > We have three terminal servers that we are not able to install MS ...
(microsoft.public.security)