We've got a web site in development, that is to be used internally within our intranet, but also used externally by one client that will be accessing it via VPN.
As far as Certificates go, what's the best option?
Will i need to get one from a Certificate authority or can we use a self-signed one?
The best way to go is to self sign it, as it is still in development.
Why?
Certificate authorities can be compromised and form an easier target. Your server can also be compromised but it's less likely. But that's a whole other discussion.
Still the way I should do it is create a company CA (if you don't already have it), sign a certificate against it and push the CA over your domain so that it is trusted and people won't be annoyed by the "unsecure connection"-error. The only external client can also add this CA to it's trusted CA-list.
Hope this was helpfull.
