Problem solve Get help with specific problems with your technologies, process and projects.

Should an organization design and use their own Certification Authority?

While using a unique Certification Authority may improve an organization's defense-in-depth strategy, using a commercial CA might save you time and money in the long run. Weigh the pros and cons of each, in this Ask the Expert Q&A.

Under what circumstances can an organization decide to have its own Certification Authority (CA) rather than purchasing certificates from a commercial CA?

A large organization may want to set up its own Certificate Authority (CA) as part of a defense-in-depth strategy for authenticating users between far-flung departments. These users may need access to files, data or systems in distant departments, and the CA is one way to authenticate them across departmental boundaries. It can also identify who is trying to access your network, preventing malicious access from outside the company.

However, beyond that, rolling your own CA should be limited to inside your organization. The CA is a universally recognized and trusted third party for verifying digital certificates. Setting up your own CA is a bit like trying to set up your own motor vehicle department for issuing drivers licenses to verify the identity of drivers.

CA's purpose is to securely manage the distribution of digital certificates. They do so by verifying the identity of the certificate holder. When someone accesses a Web site using SSL, for example, the Web site doesn't just return the page, it sends back a digital certificate proving the site's identity. This would be the same as if someone, when asked their name, not only told you their name, but also showed you their driver's license. The license is recognized as valid because it's issued by a well-known third party -- the department of motor vehicles -- which is trusted because it requires anyone applying for a license to verify their identity. The CA is the IT equivalent of this. It requires applicants to prove their identity as part of the application process for issuing and storing their digital certificates.

If you set up your own CA, its certificates won't be identified by most browsers and it's expensive to distribute them on your own. The large CA houses take care of all of this. Additionally, a CA server needs protection to block intruders. CA servers use a private key system to protect their certificates and if that key is stolen, the certificates issued are no longer authentic. CA's take care of this, so you don't have to.

More Information

  • Learn more about PKI and Digital Cerficates here.
  • This was last published in May 2006

    Dig Deeper on PKI and digital certificates