0

Let's say a web server would like to host traffic over HTTPS. My incomplete understanding is that TLS enables HTTPS.

client <--- HTTPS (over TLS) ---> server

The server must produce a certificate to present to the client, who then must trust it to proceed the HTTPS communication. The server has 2 options to get a certificate:

  1. Buy a certificate from a "Trusted Certificate Authority"
  2. Create a certificate

In the first case, as I understand, the client's run-time, e.g. Java's JRE, will trust the certificate.

However, in the second case, as I understand, the client must add the "certificate" to their "trust store."

Assuming the above is partially correct, why would a company choose the second option, i.e. produce their own certificate?

Kevin Meredith
  • 121
  • 5
  • 1
    You are asking about self-signed certs or purchased ones. There is also LetsEncrypt, which is free. – schroeder Apr 11 '17 at 13:51
  • Self-signed certs are not very secure (easy to spoof). Not typically done on public networks (the internet). – schroeder Apr 11 '17 at 13:52
  • Self-signed certs do not have to be installed on the trust store – schroeder Apr 11 '17 at 13:53
  • Apart from the marked duplicate see also [What are the risks of self signing a certificate for SSL](https://security.stackexchange.com/questions/8110/), [Does Self-signed certificate differ from CA from a security point of view?](https://security.stackexchange.com/questions/15510) or [Clarifying self-signed certificates vs root certificate authority](https://security.stackexchange.com/questions/82884/). – Steffen Ullrich Apr 11 '17 at 14:02
  • `Self-signed certs do not have to be installed on the trust store ` But doesn't the client need to "trust" the server's custom certificate in order for TLS to proceed, @schroeder? – Kevin Meredith Apr 11 '17 at 14:34
  • Many browsers ask you to accept the cert, yes. – schroeder Apr 11 '17 at 14:42

1 Answers1

1

Let's say I'm running a network of IOT devices and I want to enable trusted communications with them. If they're running with a standard certificate store, they'll trust any site with a certificate in their store. Alternatively, I could create my own PKI (Public Key Infrastructure), install only my certificate and these devices will only trust me. I can use this certificate to create encrypted sessions, monitor systems, deploy patches etc.

Another example is installing certificates on desktop endpoints and rejecting domain connections from systems without those certificates.

Another example would be installing certificates on payment terminals.

Consider also using client-side certificates to permit mutual authentication in client-server communications.

So, installing your own certificates can be a cheap way of creating a private trusted network.

AndyMac
  • 3,149
  • 12
  • 21