In rebuilding my servers, many of the services--such as email, vpn, ldap, database, dns--make use of authentication and encryption protocols. Many of these make use of the OpenSSL Project for implementing Secure Sockets Layer The authentication side of things requires the use of Certificate Authorities to ensure a chain of validation to enable
clients to validate that the server/service to which they are connecting is who or what it says it is.
Certificate Authorities (CA) come in various capabilities and pricing levels. When authentication is only needed within an
organization, certificates can be self-signed. The simplest mechanism, but least maintainable solution, is to have each
machine generate and self-sign its own certificate. When more than one machine needs a certificate, it is best to
implement an organizational Certifiate Authority.
For Microsoft based networks, Microsoft has a standard level and an enterprise level
Certificate Authority service. The enterprise level is required when implementing 802.1x network security protocols.
For Open Source based networks, there are Open Source based Certificate Authorities, such as
OpenCA.org,
SimpleCA,
Home Brew, or
TinyCA, to name a few. A couple of good sites discussing
the steps of being your own Certificate Authority include:
Be Your Own Certificate Authority, by George Notaras, and
Becoming a X.509 CA, by David Pashley.
Since some of my services are open to the Internet, I need access to a public Certificate Authority. There is a
free Certificate Authority known as
CAcert. Its popularity appears to be growing steadily year by year.
Its drawback is that it is not included as a root authority in any of the popular browsers.
StartSSL has, in addition to paid services, free
digital certificates. They do have a root authority certificate in many browsers, but not in Internet Explorer.
Even so, they do have an OpenID authentication service, which comes in handy for signing into the increasing
number of websites offering OpenID sign in capability.
I've seen single root certifcates for as low as $9.95/yr. Many of them are resellers of
RapidSSL.
When compared to
Thawte or
VeriSign, RapidSSL seems reasonably priced, even for
the WildCard product which allows multiple servers within the same domain to hold the same certificate.
Based upon some of the Certificate Authority service descriptions, the low price services cater to the
low volume traffic users, whereas the higher priced certificates provide for fast authentications for
high volume websites.
SSL Shopper has comparisons of some higher end
public Certificate Authorities.
Thursday, July 16. 2009
Certificate Authorities
Calendar
May '24 | ||||||
---|---|---|---|---|---|---|
Mo | Tu | We | Th | Fr | Sa | Su |
Thursday, May 2. 2024 | ||||||
1 | 2 | 3 | 4 | 5 | ||
6 | 7 | 8 | 9 | 10 | 11 | 12 |
13 | 14 | 15 | 16 | 17 | 18 | 19 |
20 | 21 | 22 | 23 | 24 | 25 | 26 |
27 | 28 | 29 | 30 | 31 |