I've read the available similar questions on serverfault but I haven't quite found a definite answer to the security aspect of it - hence here's my question:

I'm administrator of an office working with tax data and we want to start using certificate-based eMail encryption with our clients. Considering the prices for issued certificates by VeriSign & Co I was wondering if we couldn't issue the necessary certificates with a certificate authority of our own.

I realize that they do not offer the trust hierarchy that commercial certificates do but I don't see why we would need that. Most of our clients have small businesses and only 20% of them even exchange data with us via email. So if we were to issue certificates for those 20% and our employees, that would enable us to use encrypted emails. Of course they would have to trust our certificate authority and thus once receive our public root certificate. But if we would hand them out to them (or install it) personally, they'd know that it really is our certificate.

Is thery a huge security risk that I am missing here? As long as nobody has access to our certificate authority server nobody should be able to interfere with security, right? And the client certificates would be generated and handed out by us, as well...

Please advise me if I am making an error in judgement here and thank you in advance.

  • 527
  • 2
  • 5
  • 15
  • It's rather going to depend on the exact choice of software used to work with the certificates. If it's clever software that can cope with importing your CA root, and using it to verify certificates, then that may work well. If it's dull and stupid software, people will be constantly clicking through "*this certificate is untrusted*" warnings, and you will have no effective certification at all. – MadHatter Oct 22 '13 at 13:49
  • The email client that is used in our office is Outlook 2010 (the users are too attached to their precious Outlook as if I could implement something else). As for the clients, they might have other programs, indeed. – LumenAlbum Oct 22 '13 at 14:01
  • OK, I know nothing about MS products, so can be of no further help; sorry. But I have retagged the question accordingly! And I still think it'll be Outlook's handling of CAs that determines how painful this will be for you, so you might want to put some research effort into that. – MadHatter Oct 22 '13 at 14:26
  • As far as I've tested with my CA so far, Outlook uses Window's internal certificate store, so double-clicking on the personal and public root CA's certificate, importing them and telling Outlook that it's a trustworthy CA ssems to be sufficient. I could encrypt my test emails without any problems or warnings after that – LumenAlbum Oct 22 '13 at 15:28
  • You're right about the outlook tag, however I've readded "email" as well because we may be using Outlook but our clients may very well use something else. It's a rather universal question about the security implications of using your own CA, the used email client should be negligable - except of course for convenience as you rightfully pointed out. – LumenAlbum Oct 22 '13 at 15:37

2 Answers2


Most known advantage of trusted certificates is fact that they are 'trusted' and signing authority gives some warranty. Next benefit is that your client will not get information about 'nontrusted' certificate - it may be some sort of confusion for other clients, especially if configuring email or accessing webpage first time.

So it depends on your needs. If you just want to utilize encryption - it is the way to go, we use at our company, for local needs, nontrused selfsigned certificates because:

  • we are aware that pop-out window claiming that certificate is not trusted has only informative character
  • using the same key length and encryption algoritm it gives almost the same security
  • we can fully utilize secure connection

Moreover, your client will add untrusted certificate to his 'local trusted list' and popups will no longer appear. Futhermore, if cerificate will change, he will be informed about this fact.

As far as it goes for trusted certificates, it is worth considering if you want to serve secure conent for unknown visitors or people, that do not know anything about you - for example, shared hosting customers. PERSONALLY, I'd go for selfsigned certificates in this scenario,all the more you have contact with your staff.

  • 101
  • 7
  • Sounds good. So you are using it like that in your company, as well? How did the clients take it? Any complaints or troubles on their part with importing the certificates or problems with particularly exotic mail clients? – LumenAlbum Oct 22 '13 at 15:32

It is certainly technically possible, however in practice this is going to be a major PITA for your clients whom will need to maintain the certificate stores

  • most small business won't have the skills to integrate your CA cert in their certificate stores

  • those who do have the skills may not be happy to accept you as a certification authority since this potentially allows you to create 'forgde' certificates for other entities (although I would suggest anyone considering this as an argument to have a look at what CA Certs are currently installed on their systems).

The PGP/GPG trust model is much more appropriate to this kind of relationship - and there are lots of tools/plugins available, many with commercial support and several free ones.

  • 19,931
  • 1
  • 29
  • 49
  • Hm, I see your point but if you purchase certificates from say VeriSign you don't have to import the CA's certificate, however you still need to be able to import your own. I guess if they manage the latter, they won't have trouble with the first. – LumenAlbum Oct 22 '13 at 15:20
  • I share your opinion about PGP. Last time I checked there is no easy way to integrate it with Outlook for encrypting eMails and their attachments in one step, though. You still had to encrypt the attachment first and then add it to the email etc. Combine that with the necessary initial key generation process and our clients (and a few users) will be lost. If you know an easier way, please let me know – LumenAlbum Oct 22 '13 at 15:22