0

When generating a certificate what would more secure - generating a self-signed certificate using PGP or using a public CA like Let's Encrypt? We are using it for signing and encrypting.

What are the advantages and disadvantages?

Munchkin
  • 212
  • 2
  • 10
  • More information would be helpful. What tool will users be using to verify signatures and to decrypt messages? Does this tool have the ability to authenticate certificates that chain-up to a public CA? If you don't use a CA-signed cert, and use a self-signed cert instead - then how will users authenticate these certs? – mti2935 Apr 26 '22 at 11:02
  • @mti2935 edited the question. – Munchkin Apr 26 '22 at 11:40
  • I think this boils down to a question of how users of your system authenticate each other's certs. If Bob and Alice are using your system, and Alice needs Bob's certificate (in order to encrypt a message that she will send to Bob, or to verify a signature that Bob made), and the cert is not signed by a CA that Alice trusts - then how would Alice go about authenticating that the cert is really Bob's, and not some MITM impersonating Bob? – mti2935 Apr 26 '22 at 16:02

1 Answers1

4

I would advise you a third way: use a private CA. A true public CA is a complex thing because in order to be trusted you must publish your policies and have your root CA accepted by major browsers.

But for local use, a tool like xca allows to easily manage a bunch of client or server certificates, and trusting them all is just a matter of importing the root (private) CA.

Nothing is really hard here (I successfully created and used dozens of certificates that way), but you have to know the basics about X509 certificates.

Advantages:

  • on serious CA: the cost for an equivalent service level for local usage
  • on individually self-signed certificates: you only have to trust one single root CA
  • on Let's Encrypt: you have full control on the certificate delivery and could easily set up different class of certificates by using intermediary CA

Disadvantages:

  • you have to understand the concepts of X509 certificates
  • you have to handle the security of the root CA key at the level that is required for your actual use. It is trivial for tests, but if you want to use it for important (even if local) operation, it may require some work...
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84