|
Author | PKI: Inhouse or external? |
Henrick Wibell Hellström 2020-06-07 19:17:54 Registered user |
ST 4.0 includes a TLSDemoCert demo project that can be used for generating a PKI with a root certificate, server certificate and client certificate. The project is primarily intended as a demo, but can easily be tweaked into a project for setting up an in-house PKI, as opposed to obtaining certificates from an external CA.
WEB SERVER If the clients include web browsers, using anything other than commercial certificates that are recognized by the web browser, will be problematic and is generally not recommended. Most CAs will only issue server certificates for named domains that are registered in DNS, and not e.g. IP addresses or dynamic domains. This means that if, for some reason, you have to run a server on any other kind of address than a DNS address, you will be facing a difficult situation. CUSTOM SERVER Using an in-house PKI might be a cost efficient alternative, if you are developing a system, where you provide both the server infrastructure and the corresponding dedicated client software. When using an in-house PKI in a production environment, the responsibility for securing the private key of the root certificate, as well as protecting the integrity of the certificate issuance procedures, falls on you. It is important to note that security ultimately boils down to anticipating everything that might possibly go wrong, preventing those bad things if possible, and making preparations for the event that some of the bad things happens, despite your precautions. You have to plan for private key compromise and root CA private key compromise, regardless if you use an external PKI or an in-house PKI, but in the former case, someone else will be doing all the hard work reducing the probability of the latter event. Your long-term root certificate might be embedded into the client software, using the CertEmbedder demo project included with ST 4.0, which generates a unit that contains the embedded certificate as a constant. In most cases, the root certificate can be imported this way, regardless if it is in-house or external. You should also set the client side TLS to verify the server certificate name, i.e. verify that the domain name part of the URL the client connects, matches the information included in the server certificate common name or subject alt name extension. Regardless if you are using an external PKI or an in-house PKI, |