Determining Whether an in House or an External Certificate Authority is More Appropriate for Your Company
If your network security requirements are causing you to need one or more certificates, then one of the most important decisions that you will have to make is where to get the certificate. You can purchase certificates from one of the third party certificate authorities such as VeriSign or Thawte, or you can set up your own certificate authority and issue certificates of the home grown variety. Both have their advantages and disadvantages.
When it comes to picking out a certificate authority, one of the first things that people usually seem to notice is the cost. Prices vary among providers and they vary depending on the type of certificate that you need, but it is not uncommon to pay hundreds of dollars for a single certificate from a third party certificate authority. On the other hand, if you have your own certificate authority, you can issue as many certificates as you want for free. That certainly makes the idea of setting up your own certificate authority more attractive at first, especially if you have a large number of certificates to deploy.
Unless you are really going to be issuing a lot of certificates, I don't recommend making the decision based solely on cost though. There are a lot of other factors to consider, but even if those factors (which I will explain later) aren't important to you, there is a fairly high cost associated with setting up your own certificate authority. For starters, you will need hardware to run the certificate authority on. You will also need a Windows Server 2003 license and the appropriate client access licenses. Furthermore, you must consider the cost of maintaining the certificate authority.
I have known people in the past that have decided to simply run the Certificate Authority related services on an existing Windows 2003 Server. Piggybacking does save cost. If you aren't issuing an excessive number of certificates, then it almost seems silly to dedicate an entire server to such a menial task.
Although I am normally all in favor of saving money, especially when doing so does not compromise productivity, this is one situation where I have to side with the big spenders. If you are going to run your own certificate authority, you really should run it on a dedicated server, even if most of the server's power is never being utilized.
The reason for this is because even though the Certificate Authority services are simply a set of services that run under Windows Server 2003, a certificate authority server is like no other server in your entire network. For starters, it has completely unique security requirements. Think about it for a minute. You are basing your organization's security on one or more digital certificates. If those certificates are compromised, then your organization's overall security is compromised. For example, imagine that your company uses an IIS server to run the company's E-commerce Web site. Such a server would require a certificate in order to be able to perform the SSL encryption needed to secure credit card transactions. If someone managed to hack your certificate server and steal a copy of this certificate than they could set up their own server and convincingly spoof your server's identity. They could also decipher the SSL encryption in an effort to steal customer's credit card numbers.
The point is that if you choose to set up your own certificate authority, you need to harden the server as much as possible. A server that is pulling double duty by running some other application along side the certificate authority services will never be as secure as a dedicated server.
The other thing that's unique about a certificate authority server is that you must work especially hard to protect it against data loss. Imagine for a moment that a user on your network requests a certificate from the certificate authority, and then uses that certificate to encrypt some files stored on one of your file servers. Now, let's say that disaster strikes, data loss occurs, and the certificate is gone. The files are still encrypted, but the certificate that's needed for decrypting the files is gone. Without the certificate, the encrypted files are useless.
I realize that this is a grossly oversimplified example of how encryption keys are used, but that isn't really the point. The point is that if your certificate server has a hard disk failure and you don't have an extremely current backup available to you, then you could have some serious problems on your hands.
I'm not trying to discourage you from deploying your own certificate authority. I myself run my own certificate authority. I am simply trying to make you aware of the fact that if you do deploy your own certificate authority, then you need to take extra care when it comes to securing, protecting, and backing it up. The advice that I typically give people who are contemplating a certificate authority deployment is to treat your certificate authority the way that you would treat a nuclear warhead; protect it at all costs.
OK, so I have talked a lot about setting up your own certificate authority, but what about using certificates that were issued by a third party certificate authority? I mentioned that they could be expensive, but even with that being the case, there are at least two good reasons for using them.
The first reason is liability. Let's pretend that someone broke into your certificate authority, stole a certificate, and used that certificate to access your customer database. They then took all of your customer's credit card numbers and went on a huge shopping spree. Needless to say, if that happened you would have some really upset customers who would never do business with you again, and the lawyers would probably eat you alive.
That doesn't sound very pleasant does it? Now, let's pretend that the exact same thing happened, but this time instead of running your own certificate authority, you bought the certificate from a third party certificate authority. I'm not a lawyer and I have no idea if your company would be liable for anything or not in this situation, but the point is that it isn't your fault that the certificate was compromised. It was the certificate authority's responsibility to safeguard the certificate.
The other compelling reason for using external certificate authorities is trust. A good example of this is that I recently bought the domain name poker-run-boats.com. I intend to eventually set up a Web site that will sell parts for high performance boats. Naturally, if I am selling something over the Internet, I am going to need an SSL certificate. I do have my own certificate authority that is perfectly capable of issuing a certificate for this Web site, but that may not be the best idea in the world.
When many people shop at an online retailer that they have never used before, they want to make sure that the site is legitimate and that it is secure. If someone attempts to place an order for a supercharger and sees that the site's certificate was issued by brienposey.com, that is probably going to raise some questions. I am pretty well known in the IT world, but most speed boat enthusiasts have never heard of me (yet). A new customer shopping at my site would probably feel a lot better about the site's integrity if the site's certificate was issued by VeriSign or by some other reputable certificate authority that they have heard of and trust.
When it comes to deciding whether to set up your own certificate authority or to purchase third party certificates, there is often no clear cut answer as to which is the best course of action. Instead, you need to weigh cost, potential liability, and the possibility of disaster in making your decision.