Self-Signed Certificates Don’t Deliver Trust

Posted by on April 2, 2013 2 comments

Share:

We’ve heard the argument that website operators could just use self-signed certificates. They are easy to issue and they are “free.” Before issuing self-signed certificates, it’s a good idea to examine the trust and security model. You should also compare self-signed certificates to the publicly trusted certification authority (CA) model; and then make your own decision.

Self-Signed Certificate Model

  • Owner says who they are
  • Owner issues on their own policy
  • Owner is responsible for quality
  • Owner may not follow industry guidelines
  • Owner may not provide certificate status
  • Compromised certificates may not be able to be revoked
  • Owner is not audited
  • Issuer of certificate may not be authorized by the domain owner
  • Certificates may not be renewed if there are no reminders
  • Self-signed certificate model does not provide trust and the browser provides a trust dialogue box to indicate such

Certificate Error-Navigation Blocked

Publicly-Trusted CA-Signed Certificate Model

  • CA verifies the owner of the domain and the certificate applicant
  • CA operates to a policy in conformance with the requirements of the browser and operating system vendors. The requirements include the CA/Browser Forum Baseline Requirements, Extended validation (EV) Guidelines and recommendations from NIST.
  • CA provides quality to the certificate. Checks include compromised keys, minimum key size, ensuring hashing algorithms, maximum validity period and proper certificate extensions.
  • CA updates policy based on industry best practices
  • CA provides certificate status through CRL and OCSP
  • Compromised certificates can be revoked
  • CA is audited to certificate issuing criteria such as WebTrust for CA, WebTrust for EV and SSL Baseline Requirements
  • Certificate requesters for a Domain validated certificate are authorized by the owner of the domain. Requesters for Organization and Extended Validation certificates are authorized by a member of the organization specified in the certificate.
  • CAs provide multiple reminders to ensure the certificates are renewed before they expire. CAs may also provide certificate discovery tools to find certificates on your systems which may not have reminders.
  • Publicly trusted CA model is based on the CA being a trusted third party to the browser/OS vendor, the website certificate subscriber and the end-users of the website. The CA is obligated to meet the requirements of all three parties.

So, when should you use a self-signed certificate?

When trust, security, service, quality and reliability are not your criteria.

Bruce Morton, Director, Entrust Certificate Services, Entrust

  • Garry

    So, when should you use a self-signed certificate?
    You mention ‘security’ in relation to this question, but surely both CA and Self Signed provide the same security……ie both give a secure SSL session.
    Or is the word being used in regard to being revoked, crls etc.

    • Bruce Morton

      Security is mentioned because the self-signed certificate may not have the following considered:
      - quality of the keys such as the minimum key size or whether the generated keys could easily be compromised (e.g., Debian)
      - revocation of the certificate if the key has been compromised
      - authorization of the certificate as the issuer may not have been authorized

  • Pingback: CA Security Council | Bogus SSL Certificates