0

We have dozens of internal management interfaces on our appliances that use self-signed certificates - ILO, DRAC, switch management, etc. These certificates display a warning in the browser, but their expiry or lack of trust does not break the service.

Our security manager wants to use valid internal certificates for these appliances and interfaces. Administrators only log on to these interfaces, not end-users. Most of the organisations I've worked with are fine with self-signed certificates for management interfaces.

What are the risks associated with using self-signed certificates on these management interfaces? Are there any NCSC, NIST or ISO best practices for this?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jay
  • 71
  • 4
  • 2
    Potential duplicate: https://security.stackexchange.com/questions/34020/self-signed-certificates-for-https?rq=1 – schroeder May 13 '21 at 09:52
  • Whilst that thread is similar, it doesn't explicitly call out the assessment from a leading security body (e.g. NCSC, NIST, ISO, etc). I'd be really keen on knowing the "official" guidance, as opposed to a more subjective answer. – Jay May 13 '21 at 10:25
  • NIST and ISO won't have specific guidance. the choice to use self-signed certs is situational. The reasons why are in the dupe. As for what any specific body might say, that's just a [google search away](https://www.google.com/search?q=ncsc+self-signed+certificate), But there can be no hard rule. It's subjective. The ***outcome*** is defined; not the path. – schroeder May 13 '21 at 10:39
  • I have seen at least one misguided attempt on eliminating the self-signed certificates in admin-only web interfaces that became a security disaster in itself... they used wildcard certificate. – fraxinus May 13 '21 at 13:32
  • @JonnnyWizz, in the dup mentioned, has a very succinct comment that can help answer this question. – M S Sripati May 13 '21 at 22:11

0 Answers0