A large organization may want to set up its own Certificate Authority (CA) as part of a defense-in-depth strategy for authenticating users between far-flung departments. These users may need access to files, data or systems in distant departments, and the CA is one way to authenticate them across departmental boundaries. It can also identify who is trying to access your network, preventing malicious access from outside the company.
However, beyond that, rolling your own CA should be limited to inside your organization. The CA is a universally recognized and trusted third party for verifying digital certificates. Setting up your own CA is a bit like trying to set up your own motor vehicle department for issuing drivers licenses to verify the identity of drivers.
CA's purpose is to securely manage the distribution of digital certificates. They do so by verifying the identity of the certificate holder. When someone accesses a Web site using SSL, for example, the Web site doesn't just return the page, it sends back a digital certificate proving the site's identity. This would be the same as if someone, when asked their name, not only told you their name, but also showed you their driver's license. The license is recognized as valid because it's issued by a well-known third party -- the department of motor vehicles -- which is trusted because it requires anyone applying for a license to verify their identity. The CA is the IT equivalent of this. It requires applicants to prove their identity as part of the application process for issuing and storing their digital certificates.
If you set up your own CA, its certificates won't be identified by most browsers and it's expensive to distribute them on your own. The large CA houses take care of all of this. Additionally, a CA server needs protection to block intruders. CA servers use a private key system to protect their certificates and if that key is stolen, the certificates issued are no longer authentic. CA's take care of this, so you don't have to.
Dig Deeper on PKI and digital certificates
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading