Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > Should an organization design and use their own Certification Authority?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Should an organization design and use their own Certification Authority?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 03 April 2006
Under what circumstances can an organization decide to have its own Certification Authority (CA) rather than purchasing certificates from a commercial CA?

>

A large organization may want to set up its own Certificate Authority (CA) as part of a defense-in-depth strategy for authenticating users between far-flung departments. These users may need access to files, data or systems in distant departments, and the CA is one way to authenticate them across departmental boundaries. It can also identify who is trying to access your network, preventing malicious access from outside the company.

However, beyond that, rolling your own CA should be limited to inside your organization. The CA is a universally recognized and trusted third party for verifying digital certificates. Setting up your own CA is a bit like trying to set up your own motor vehicle department for issuing drivers licenses to verify the identity of drivers.

CA's purpose is to securely manage the distribution of digital certificates. They do so by verifying the identity of the certificate holder. When someone accesses a Web site using SSL, for example, the Web site doesn't just return the page, it sends back a digital certificate proving the site's identity. This would be the same as if someone, when asked their name, not only told you their name, but also showed you their driver's license. The license is recognized as valid because it's issued by a well-known third party -- the department of motor vehicles -- which is trusted because it requires anyone applying for a license to verify their identity. The CA is the IT equivalent of this. It requires applicants to prove their identity as part of the application process for issuing and storing their digital certificates.

If you set up your own CA, its certificates won't be identified by most browsers and it's expensive to distribute them on your own. The large CA houses take care of all of this. Additionally, a CA server needs protection to block intruders. CA servers use a private key system to protect their certificates and if that key is stolen, the certificates issued are no longer authentic. CA's take care of this, so you don't have to.

More Information

  • Learn more about PKI and Digital Cerficates here.

    		•

    BROWSE BY TAG
    Identity Management and Access Control,   PKI and Digital Certificates,   Enterprise Identity and Access Management,   User Authentication Services,   Web Authentication and Access Control,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key
    Can any firm or organization get a digital signature certificate?
    Should the CTO have domain administrator access?

    PKI and Digital Certificates
    Best Authentication Products
    DoD urges less network anonymity, more PKI use
    Researchers to demonstrate new EV SSL man-in-the-middle hacks
    Portable security storage device could replace OTP devices
    What is most misunderstood about EV SSL certificates?
    VeriSign addresses MD5 flaw
    Rogue digital certificates strike blow to Internet security
    Can any firm or organization get a digital signature certificate?
    How to obtain a digital certificate for a server
    PKI and digital certificates: Security, authentication and implementation
    PKI and Digital Certificates Research

    Web Authentication and Access Control
    Group to shed light on secure identity management threats
    How to confirm the receipt of an email with security protocols
    Schneier-Ranum Face-Off: Is Perfect Access Control Possible?
    Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat
    Changing times for identity management
    How to use single sign-on for Web access control to prevent malware
    IBM USB banking device stops keyloggers, malware
    Can mutual authentication beat phishing or man-in-the-middle attacks?
    Could someone place a rootkit on an internal network through a router?
    Sun launches open source OpenSSO for identity management

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    authentication server  (SearchSecurity.com)
    Certificate Revocation List  (SearchSecurity.com)
    Digital Signature Standard  (SearchSecurity.com)
    HDCP  (SearchSecurity.com)
    MD2  (SearchSecurity.com)
    MD4  (SearchSecurity.com)
    MD5  (SearchSecurity.com)
    nonrepudiation  (SearchSecurity.com)
    PKI  (SearchSecurity.com)
    public key  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts