Thread: Any advantage of using SSL with a certificate of authority?

Any advantage of using SSL with a certificate of authority?

From
Jesus Rafael Sanchez Medrano
Date:
Looking to implement SSL. Every tutorial/sample I have found uses self signed certificates. Would there be any advantage of using a certificate from a CA such as digicertor rapidssl?

Att.
==
Jesus Rafael Sanchez Medrano
"Life is a dream, of which all must wake up"

Re: Any advantage of using SSL with a certificate of authority?

From
Bruce Momjian
Date:
On Tue, Nov 26, 2013 at 02:24:01PM -0400, Jesus Rafael Sanchez Medrano wrote:
> Looking to implement SSL. Every tutorial/sample I have found uses self signed
> certificates. Would there be any advantage of using a certificate from a CA
> such as digicertor rapidssl?

Well, by using a CA you are giving the CA rights to the key, while you
fully control a self signed key.  Since you probably don't expect
unknown individuals to be connecting to your database, and self signed
key is recommended.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + Everyone has their own god. +


Re: Any advantage of using SSL with a certificate of authority?

From
John R Pierce
Date:
On 11/26/2013 10:24 AM, Jesus Rafael Sanchez Medrano wrote:
Looking to implement SSL. Every tutorial/sample I have found uses self signed certificates. Would there be any advantage of using a certificate from a CA such as digicertor rapidssl?


depends entirely on your use case.    generally, since you control both ends of a postgresql connection, there's no advantage to using signed certificates, but if you have your own CA already, by all means go ahead and use it.


-- 
john r pierce                                      37N 122W
somewhere on the middle of the left coast

Re: Any advantage of using SSL with a certificate of authority?

From
Bruce Momjian
Date:
On Tue, Nov 26, 2013 at 10:33:47AM -0800, John R Pierce wrote:
> On 11/26/2013 10:24 AM, Jesus Rafael Sanchez Medrano wrote:
>
>     Looking to implement SSL. Every tutorial/sample I have found uses self
>     signed certificates. Would there be any advantage of using a certificate
>     from a CA such as digicertor rapidssl?
>
>
>
> depends entirely on your use case.    generally, since you control both ends of
> a postgresql connection, there's no advantage to using signed certificates, but
> if you have your own CA already, by all means go ahead and use it.

Yes, definately use your private CA so you can verify the chain.  It is
public CAs that are not useful in this case.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + Everyone has their own god. +


Re: Any advantage of using SSL with a certificate of authority?

From
Vick Khera
Date:

On Tue, Nov 26, 2013 at 1:31 PM, Bruce Momjian <bruce@momjian.us> wrote:
Well, by using a CA you are giving the CA rights to the key, while you
fully control a self signed key.  Since you probably don't expect
unknown individuals to be connecting to your database, and self signed
key is recommended.

You never give the key to them, just a signing request based on the key. You lose no control over anything. They will in general insist your key be at least 2048 bits.

The only advantage of having a CA key is if the client does authentication of the server, and you have no prior arrangement with the client to accept a certificate from your signing authority.

Using self-signed certs you can give them longevity of 10+ years, so never have to worry about them again :)

Re: Any advantage of using SSL with a certificate of authority?

From
Andrew Sullivan
Date:
On Tue, Nov 26, 2013 at 02:18:58PM -0500, Vick Khera wrote:
> Using self-signed certs you can give them longevity of 10+ years, so never
> have to worry about them again :)

Unless of course you turn out to have a weak algorithm and, say, No
Such Agency decides to take up residence on your network.  (It's not
clear that CAs are any protection against that either, though, of
course.)  In general, 10+ years is probably too short a time to be
using a cert unless you are completely certain to whom it could be
exposed.  (Some would argue that if you had that certainty, you might
not need TLS/SSL anyway.  I guess I'd respond that you could use TLS
anyway because it would help in case of a network compromise.)

Best,

A

--
Andrew Sullivan
ajs@crankycanuck.ca


Re: Any advantage of using SSL with a certificate of authority?

From
Robin
Date:
There is a downside to self-signed certificates.

  1. A self-signed certificate can be issued by anybody, there is no way of authenticating the issuer.
  2. Distributing self-signed certificates becomes a pain - if signed by a CA, its easy to lodge your public key where everybody can find it, and knows where to look for it.
  3. Maintenance becomes a problem

I only use self signed certs for testing.
Robin St.Clair
On 26/11/2013 19:34, Andrew Sullivan wrote:
On Tue, Nov 26, 2013 at 02:18:58PM -0500, Vick Khera wrote:
Using self-signed certs you can give them longevity of 10+ years, so never
have to worry about them again :)
Unless of course you turn out to have a weak algorithm and, say, No
Such Agency decides to take up residence on your network.  (It's not
clear that CAs are any protection against that either, though, of
course.)  In general, 10+ years is probably too short a time to be
using a cert unless you are completely certain to whom it could be
exposed.  (Some would argue that if you had that certainty, you might
not need TLS/SSL anyway.  I guess I'd respond that you could use TLS
anyway because it would help in case of a network compromise.)

Best,

A


Re: Any advantage of using SSL with a certificate of authority?

From
John R Pierce
Date:
On 11/26/2013 12:16 PM, Robin wrote:
  1. A self-signed certificate can be issued by anybody, there is no way of authenticating the issuer.
  2. Distributing self-signed certificates becomes a pain - if signed by a CA, its easy to lodge your public key where everybody can find it, and knows where to look for it.
  3. Maintenance becomes a problem


while that's all true for public https or whatever, none of this applies to a point to point connection like libpq -> postmaster.



-- 
john r pierce                                      37N 122W
somewhere on the middle of the left coast

Re: Any advantage of using SSL with a certificate of authority?

From
Bruce Momjian
Date:
On Tue, Nov 26, 2013 at 12:30:08PM -0800, John R Pierce wrote:
> On 11/26/2013 12:16 PM, Robin wrote:
>
>      1. A self-signed certificate can be issued by anybody, there is no way of
>         authenticating the issuer.
>      2. Distributing self-signed certificates becomes a pain - if signed by a
>         CA, its easy to lodge your public key where everybody can find it, and
>         knows where to look for it.
>      3. Maintenance becomes a problem
>
>
>
> while that's all true for public https or whatever, none of this applies to a
> point to point connection like libpq -> postmaster.

Right. I know of no mechanism to verify a certificate via a public CA
through SSL.  Browsers have a list of trusted certificates, but SSL
alone doesn't, as far as I know.

--
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + Everyone has their own god. +


Re: Any advantage of using SSL with a certificate of authority?

From
Vick Khera
Date:

On Tue, Nov 26, 2013 at 4:48 PM, Bruce Momjian <bruce@momjian.us> wrote:
Right. I know of no mechanism to verify a certificate via a public CA
through SSL.  Browsers have a list of trusted certificates, but SSL
alone doesn't, as far as I know.

SSL as a library/protocol has mechanisms to verify the certificates. The list of certificates that are trusted is left to the implementation. Most people install the mozilla cert bundle and use that.