Skip to main content
banner image
venafi logo

Why Self-Signed Certificates May Be the Best Choice for Large Enterprises

Why Self-Signed Certificates May Be the Best Choice for Large Enterprises

self signed certificates
September 20, 2018 | Patrik Nohe, Editor-in-Chief of Hashed Out
At a certain size a dedicated root and self-signed certificate solution is the only thing that makes sense

At The SSL Store we deal with customers of all sizes, but the group that requires the most specialized SSL/TLS solutions is definitely Enterprise-level business. When you’re securing end points at the Enterprise level, you’re playing a completely different ballgame than SMBs and smaller companies. That’s owed to the fact that there is substantially more surface to cover when securing enterprise environments.

Today we’re going to talk about dedicated roots, self-signed certificates, managing your Public Key Infrastructure and what considerations you need to make as an Enterprise business looking to encrypt thousands of end points.

Let’s start out with a little background.
 

How well does your machine identity protection stack up? Read the Study.
 

A quick refresher on Public Key Infrastructure

Public Key Infrastructure, or PKI, is the backbone of the SSL/TLS ecosystem. Understanding how it works will be instructional once we get into self-signing. Let’s start at the trusted root and work our way out.

A root certificate is a standard X.509 certificate that is considered trusted. There are multiple trusted root programs run by the likes of Google, Mozilla and Apple (to name a few). Each one of these stores contains a group of trusted root certificates. Any SSL certificate that is signed with one of those trusted root’s private key will now be trusted by any browser or device using a trust store that includes said root.

In the SSL/TLS ecosystem, Root Certificate Authorities, that is, CAs with trusted roots, issue Intermediate roots to sub-CAs and for their own issuance needs. This helps insulate the root should anything ever happen that would require a revocation. The way it works is that the root’s private key signs the intermediate, then the intermediate’s private key either signs another intermediate root or an end-user SSL certificate (sometimes called a leaf certificate).

As long as the signatures can be traced back to the root, the end-user certificates will be trusted.

Now, let’s package up that concept and apply it to an Enterprise Environment.
 

Enterprises and Public Key Infrastructure

Once companies reach a certain size, paying individually (or even in bulk) for commercial SSL certificates is cost-prohibitive (or at the very least, wasteful). That’s why it’s in most Enterprise business’s best interest to work with a CA to set up a custom PKI solution (sometimes called setting up a dedicated root or a Private CA).

With a Private CA, a trusted Certificate Authority works with your company to create its own dedicated root. The root is added to your organizational trust store manually, so that within your own environment it will achieve trusted status. Once this is in place, the CA will generally spin up a few intermediate roots for you to issue off of.

Just as we described before, you simply use the private key from your company’s intermediate root to sign each certificate and as long as the dedicated root that signed the intermediate resides in your organization’s trust store all of those certificates will be trusted.

Now, it’s worth noting that the context we’re discussing here is your enterprise environment—not public facing networks and IPs. Enterprises should still use business authentication SSL certificates to secure those owing to the necessity for public trust in those contexts. But with regard to intranets and company networks, Self-Signed certificates have myriad advantages:

  • Private CAs pay for themselves very quickly
  • Self-signed certificates can have customized lifecycles
  • No fear of third-party revocation
  • ·ou aren’t dependent on another company for certificates
  • You can automate issuance for Private CAs

Self-signed certificates give you a more granular level of control over encrypting your enterprise environment. But with that extra control come some new problems. Read about some potential problems you may face with self-signed certificates on a Venafi post on Hashed Out, the SSL Store blog.


Use a third-party certificate management tool with your Self-Signed Certificates

The first inclination when discussing self-signed certificates and private CAs is to go with the Microsoft Certificate Authority, which is ubiquitous given Microsoft’s market share. This can be a good decision if you have the time, resources and organizational experience to build out your own certificate management apparatus. But obviously it’s not a turn-key solution.

And this is critical. The biggest challenge most Enterprises face is not setting up their own CA or issuing their own certificates—it’s managing all that. You need to have full visibility, regular reporting, you need to be able to track certificates so that you can make decisions on revoking them or re-issuing for certain end points. Microsoft’s CA doesn’t offer support for any of that. That’s why it’s so important for your organization decide on a certificate management solution at the same time it makes a determination on setting up its own CA. Read about some common PKI management mistakes.

Managed PKI platforms from a 3rdparty CA are superior to Microsoft CA for several reasons:

  • They use Microsoft Active Directory as a backbone to automate deployment of certificates
  • They come with scanning & reporting capabilities to track your network
  • Trusted CAs have development teams that keep the platforms up to date with new integrations without having to dedicate in-house development resources

When done correctly, self-signing SSL certificates can simplify and streamline an otherwise tedious process for enterprise companies. But most businesses can’t do it on their own. You need someone in your corner to help sort through minutiae. Whether that’s a CA, an SSL service or a third-party vendor, the stakes are too high to go it alone.


Learn more about machine identity protection. Explore now.
 

Like this blog? We think you will love this.
graphic of a virus slamming into a wall of ones and zeros
Featured Blog

The Latest on Reductor: Turla-Associated RAT Uses Novel Method to Compromise TLS Connections to Mark and Monitor Its Victims

Reductor Stage 1: Infection

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Patrik Nohe, Editor-in-Chief of Hashed Out
Patrik Nohe, Editor-in-Chief of Hashed Out

Patrik Nohe is Editor-in-Chief of Hashed Out by The SSL Store™. He has substantial experience in building web-based publications, including developing and implementing content strategy, email marketing and brand recognition.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat