A large organization may want to set up its own Certificate Authority (CA) as part of a defense-in-depth strategy...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
for authenticating users between far-flung departments. These users may need access to files, data or systems in distant departments, and the CA is one way to authenticate them across departmental boundaries. It can also identify who is trying to access your network, preventing malicious access from outside the company.
However, beyond that, rolling your own CA should be limited to inside your organization. The CA is a universally recognized and trusted third party for verifying digital certificates. Setting up your own CA is a bit like trying to set up your own motor vehicle department for issuing drivers licenses to verify the identity of drivers.
CA's purpose is to securely manage the distribution of digital certificates. They do so by verifying the identity of the certificate holder. When someone accesses a Web site using SSL, for example, the Web site doesn't just return the page, it sends back a digital certificate proving the site's identity. This would be the same as if someone, when asked their name, not only told you their name, but also showed you their driver's license. The license is recognized as valid because it's issued by a well-known third party -- the department of motor vehicles -- which is trusted because it requires anyone applying for a license to verify their identity. The CA is the IT equivalent of this. It requires applicants to prove their identity as part of the application process for issuing and storing their digital certificates.
If you set up your own CA, its certificates won't be identified by most browsers and it's expensive to distribute them on your own. The large CA houses take care of all of this. Additionally, a CA server needs protection to block intruders. CA servers use a private key system to protect their certificates and if that key is stolen, the certificates issued are no longer authentic. CA's take care of this, so you don't have to.
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.