2009 Jul 16 - Thu

Certificate Authorities

In rebuilding my servers, many of the services--such as email, vpn, ldap, database, dns--make use of authentication and encryption protocols. Many of these make use of the OpenSSL Project for implementing Secure Sockets LayerThe authentication side of things requires the use of Certificate Authorities to ensure a chain of validation to enable clients to validate that the server/service to which they are connecting is who or what it says it is.

Certificate Authorities (CA) come in various capabilities and pricing levels. When authentication is only needed within an organization, certificates can be self-signed. The simplest mechanism, but least maintainable solution, is to have each machine generate and self-sign its own certificate. When more than one machine needs a certificate, it is best to implement an organizational Certifiate Authority.

For Microsoft based networks, Microsoft has a standard level and an enterprise level Certificate Authority service. The enterprise level is required when implementing 802.1x network security protocols.

For Open Source based networks, there are Open Source based Certificate Authorities, such as OpenCA.org, SimpleCA, Home Brew, or TinyCA, to name a few. A couple of good sites discussing the steps of being your own Certificate Authority include: Be Your Own Certificate Authority, by George Notaras, and Becoming a X.509 CA, by David Pashley.

Since some of my services are open to the Internet, I need access to a public Certificate Authority. There is a free Certificate Authority known as CAcert. Its popularity appears to be growing steadily year by year. Its drawback is that it is not included as a root authority in any of the popular browsers.

StartSSL has, in addition to paid services, free digital certificates. They do have a root authority certificate in many browsers, but not in Internet Explorer. Even so, they do have an OpenID authentication service, which comes in handy for signing into the increasing number of websites offering OpenID sign in capability.

I've seen single root certifcates for as low as $9.95/yr. Many of them are resellers of RapidSSL. When compared to Thawte or VeriSign, RapidSSL seems reasonably priced, even for the WildCard product which allows multiple servers within the same domain to hold the same certificate.

Based upon some of the Certificate Authority service descriptions, the low price services cater to the low volume traffic users, whereas the higher priced certificates provide for fast authentications for high volume websites.

SSL Shopper has comparisons of some higher end public Certificate Authorities.