Hosting Provided By

RE: CA-SSL in IIS

From: Lance Wolrab DNET <LWolrab(at)deltanet.net>
Date: Tue Jul 15 2003 - 12:55:17 EDT

It all depends on what you intend to do with your Certificate Authority (CA). I have set up a self-signed CA with both Microsoft and Netscape products, and administration of the CA can become a full time task if you support a large number of webservers or if you choose to use certificates for more than just webserver SSL. Certificate services covers a LOT more than webserver SSL. If the desire is simply to run SSL on a webserver, no CA is required at all. Just generate the key pair and run SSL. It will work just like any other SSL webserver, however, there will be no trusted authority at the certificate's root. This means anyone connecting to the server will receive an error message and MAC users may not be able to connect at all since the error often precludes them from completing a connection with an untrusted authority.

Setting up your own CA brings its own set of decisions. Do you want to be an intermediate CA and use someone else's root certificate to provide the automatic, built-in, seamless connection for users who are not SSL savvy? Do you want to distribute your self-signed root certificate to your enterprise for internal applications to avoid the cost of a third party solution (I did this)? Are you prepared to support the fault-tolerance and redundancy requirements of being your own CA? Will you support Microsoft products exclusively, or do you see a need to support Apache or Sun One servers? If you do, Microsoft's built-in CA will not provide you a total solution and you need to decide if you want to have two CAs that trust each other in some fashion to support the other platforms. As you can see, there are a lot of decisions to make at the outset and much like designing an Active Directory, you can paint yourself in a corner pretty quickly if you fail to address the important issues.

Lance Wolrab

-----Original Message-----
From: Ed Sunder [mailto:edsunder@threehd.com] Sent: Tuesday, July 15, 2003 7:50 AM
To: focus-ms@securityfocus.com
Subject: RE: CA-SSL in IIS

What drawbacks are there in becoming your own certificate service? Versus one of the major SSL services? Other than that the source of the certificate (if the user looked it up) would not be a commercially known provider and you couldn't participate in any of the major provider's ever so valuable certificate programs.

Ed Sunder
Three HD

>You can easily do it using the Microsoft CA service. There

>-----------------------------------------------------------------------

-
----------------------------------------------------------------------------
--

-----------------------------------------------------------------------------
------------------------------------------------------------------------------

Received on Tue Jul 15 14:37:59 2003

This message: [ Message body ]
Next message: John Canty: "Internet explorer history viewer"
Previous message: CORREIA, PATRICK: "RE: CA-SSL in IIS"
Maybe in reply to: Benjamin Meade: "CA-SSL in IIS"
In reply to prx_sf(at)freesurf.ch: "RE: CA-SSL in IIS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:34 EDT

Do you need help?