12

In the comments to Creating my own CA for an intranet several people strongly advise against creating your own CA for an intranet.

Especially:

don't do it. Nope. Bad idea. Buy $10 CA signed certificates instead. Don't be your own CA. No. Nope. Bad idea — KristoferA

But also:

echo "Abandon all hope, ye who enter here." — Tom Leek

Why should one put more trust in an arbitrary CA that sells certificates for $10 than in the company's own IT department?

(I'm even inclined to trust certificates signed by suppliers or clients1, 2 more than I would trust certificates signed by the common root CA's.)

  • Is keeping the CA server secure the problem?
  • Is distributing and installing root certificates the problem?
  • Is the RA and/or the distribution of up to date CRLs the problem?
  • Is restricting who or what receives a certificate and who or what signs a certificate a problem?
  • Any other problems? (Perhaps my limited knowledge, and the limited knowledge of other IT professionals in general, about all essential aspects for a secure CA. Are why KristoferA, Tom Leek, and others strongly advise against «homebrew» CA's.

Probably a professional CA will have more expertise in the first three areas and they could do better than any «smug» who creates his own CA. But still the factor of trust comes to mind especially for the last part.

1.) Given that my company has a longterm relation with these suppliers and clients.

2.) Restricted to certificates about their own servers and employees.

Community
  • 1
Kasper van den Berg
  • 275
  • 1
  • 8
  • 3
    If you have internal hostnames like `*.local`, `*.mycompany` or similar then there is no way around running an internal CA anyway, since public CA will no longer issue certificates for non-public domains. – Steffen Ullrich May 16 '15 at 16:13

1 Answers1

16

There is nothing at all wrong with running your own internal certificate authority; the vast majority of large companies that I have interacted with have their own internal CA.

Advantages

  • The nominal cost of a cert becomes nearly zero when amortized over enough systems and users; when you purchase certificates from an external CA, this will never become the case.
  • It can be a lot easier to manage certificate expiration and renewal, since you can assign ownership to an internal group, instead of a single user who requested it.
  • You can do all sorts of neat things that are very difficult or expensive to do with external CAs, such as creating wildcard certs for subdomains, like *.test.company.com, or creating weird invalid certs for testing purposes (SHA-1 2017, 512-bit RSA, etc.)

Disadvantages

  • Running a CA is really hard. For your own internal CA, you obviously don't need to have quite the level of security controls of a real CA, but it's still quite complex.
  • The people who are capable of creating and running a CA are certainly not cheap; in the US at least, you can expect that people with strong knowledge of cryptography and/or PKI will be making six figures.
  • It's not just enough to have a CA, you also need to build systems around them. Websites/APIs for requesting certs and handling revocations, notification systems for certificate renewal, installation packages to push out root certificates, etc. You could buy a software package that manages a lot of this for you, but that's certainly not free either.

For sufficiently large companies, there becomes a tipping point where the cost of purchasing all these external certificates and the loss of flexibility entailed therein becomes a significant enough issue to create your own CA.

Otherwise, I agree with those who warned you against it: for the vast majority of small to middle-size companies, it's simply not economical to run their own CA; it makes far more sense to simply deal with a company that specializes in the matter. Even a thousand certs at $10 a year is a steal when compared to the cost of setting up a well-run internal CA.

Summary

It's not about trust, it's about cost.

marumari
  • 176
  • 1
  • 6
  • 4
    With 50,000 certificates at $10/year, it only takes 366 days to be a seven-figure sum. Investing in setting up an internal CA may very well cost less, and you could even sell that expertise on top. – Andrew Leach May 16 '15 at 14:36
  • 4
    @AndrewLeach, for a small to middle-size company a certificate for every employee + every (virtual) server + every application will probably not add up to 50,000. – Kasper van den Berg May 16 '15 at 14:46
  • 3
    In addition to what @KaspervandenBerg said about the quantity of certificates, an internal CA that is generating 50k certificates per year is probably going to require several employees to maintain and develop. Because of that, I've found it rare to find CAs outside of either mid-cap (or larger) companies or tech companies that may already have that expertise in-house. – marumari May 16 '15 at 14:59
  • re the third diadvantage for Joe Average's Windows network: Installing the CA role on a server gives you the website and reovcation points in ldap right away, and adding your root CA as trusted can be done swiftly per GPO – Hagen von Eitzen May 16 '15 at 18:58
  • 3
    @HagenvonEitzen, the challenges start mounting when you have non-Windows devices that all need to trust the Root CA. Mobile test devices, programs with their own cert store (Firefox, java, especially on Linux servers etc), Macs. What I've found in my company is that many people don't understand that we have an internal CA and just try to manage by manually accepting the "invalid cert" message. – Alan Shutko May 17 '15 at 02:09