Thread: Any advantage of using SSL with a certificate of authority?
Looking to implement SSL. Every tutorial/sample I have found uses self signed certificates. Would there be any advantage of using a certificate from a CA such as digicertor rapidssl?
Att.
==
Jesus Rafael Sanchez Medrano
"Life is a dream, of which all must wake up"
==
Jesus Rafael Sanchez Medrano
"Life is a dream, of which all must wake up"
On Tue, Nov 26, 2013 at 02:24:01PM -0400, Jesus Rafael Sanchez Medrano wrote: > Looking to implement SSL. Every tutorial/sample I have found uses self signed > certificates. Would there be any advantage of using a certificate from a CA > such as digicertor rapidssl? Well, by using a CA you are giving the CA rights to the key, while you fully control a self signed key. Since you probably don't expect unknown individuals to be connecting to your database, and self signed key is recommended. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
On 11/26/2013 10:24 AM, Jesus Rafael Sanchez Medrano wrote:
Looking to implement SSL. Every tutorial/sample I have found uses self signed certificates. Would there be any advantage of using a certificate from a CA such as digicertor rapidssl?
depends entirely on your use case. generally, since you control both ends of a postgresql connection, there's no advantage to using signed certificates, but if you have your own CA already, by all means go ahead and use it.
-- john r pierce 37N 122W somewhere on the middle of the left coast
On Tue, Nov 26, 2013 at 10:33:47AM -0800, John R Pierce wrote: > On 11/26/2013 10:24 AM, Jesus Rafael Sanchez Medrano wrote: > > Looking to implement SSL. Every tutorial/sample I have found uses self > signed certificates. Would there be any advantage of using a certificate > from a CA such as digicertor rapidssl? > > > > depends entirely on your use case. generally, since you control both ends of > a postgresql connection, there's no advantage to using signed certificates, but > if you have your own CA already, by all means go ahead and use it. Yes, definately use your private CA so you can verify the chain. It is public CAs that are not useful in this case. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
On Tue, Nov 26, 2013 at 1:31 PM, Bruce Momjian <bruce@momjian.us> wrote:
Well, by using a CA you are giving the CA rights to the key, while you
fully control a self signed key. Since you probably don't expect
unknown individuals to be connecting to your database, and self signed
key is recommended.
You never give the key to them, just a signing request based on the key. You lose no control over anything. They will in general insist your key be at least 2048 bits.
The only advantage of having a CA key is if the client does authentication of the server, and you have no prior arrangement with the client to accept a certificate from your signing authority.
Using self-signed certs you can give them longevity of 10+ years, so never have to worry about them again :)
On Tue, Nov 26, 2013 at 02:18:58PM -0500, Vick Khera wrote: > Using self-signed certs you can give them longevity of 10+ years, so never > have to worry about them again :) Unless of course you turn out to have a weak algorithm and, say, No Such Agency decides to take up residence on your network. (It's not clear that CAs are any protection against that either, though, of course.) In general, 10+ years is probably too short a time to be using a cert unless you are completely certain to whom it could be exposed. (Some would argue that if you had that certainty, you might not need TLS/SSL anyway. I guess I'd respond that you could use TLS anyway because it would help in case of a network compromise.) Best, A -- Andrew Sullivan ajs@crankycanuck.ca
There is a downside to self-signed certificates.
I only use self signed certs for testing.
- A self-signed certificate can be issued by anybody, there is no way of authenticating the issuer.
- Distributing self-signed certificates becomes a pain - if signed by a CA, its easy to lodge your public key where everybody can find it, and knows where to look for it.
- Maintenance becomes a problem
I only use self signed certs for testing.
Robin St.ClairOn 26/11/2013 19:34, Andrew Sullivan wrote:
On Tue, Nov 26, 2013 at 02:18:58PM -0500, Vick Khera wrote:Using self-signed certs you can give them longevity of 10+ years, so never have to worry about them again :)Unless of course you turn out to have a weak algorithm and, say, No Such Agency decides to take up residence on your network. (It's not clear that CAs are any protection against that either, though, of course.) In general, 10+ years is probably too short a time to be using a cert unless you are completely certain to whom it could be exposed. (Some would argue that if you had that certainty, you might not need TLS/SSL anyway. I guess I'd respond that you could use TLS anyway because it would help in case of a network compromise.) Best, A
On 11/26/2013 12:16 PM, Robin wrote:
- A self-signed certificate can be issued by anybody, there is no way of authenticating the issuer.
- Distributing self-signed certificates becomes a pain - if signed by a CA, its easy to lodge your public key where everybody can find it, and knows where to look for it.
- Maintenance becomes a problem
while that's all true for public https or whatever, none of this applies to a point to point connection like libpq -> postmaster.
-- john r pierce 37N 122W somewhere on the middle of the left coast
On Tue, Nov 26, 2013 at 12:30:08PM -0800, John R Pierce wrote: > On 11/26/2013 12:16 PM, Robin wrote: > > 1. A self-signed certificate can be issued by anybody, there is no way of > authenticating the issuer. > 2. Distributing self-signed certificates becomes a pain - if signed by a > CA, its easy to lodge your public key where everybody can find it, and > knows where to look for it. > 3. Maintenance becomes a problem > > > > while that's all true for public https or whatever, none of this applies to a > point to point connection like libpq -> postmaster. Right. I know of no mechanism to verify a certificate via a public CA through SSL. Browsers have a list of trusted certificates, but SSL alone doesn't, as far as I know. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + Everyone has their own god. +
On Tue, Nov 26, 2013 at 4:48 PM, Bruce Momjian <bruce@momjian.us> wrote:
Right. I know of no mechanism to verify a certificate via a public CA
through SSL. Browsers have a list of trusted certificates, but SSL
alone doesn't, as far as I know.
SSL as a library/protocol has mechanisms to verify the certificates. The list of certificates that are trusted is left to the implementation. Most people install the mozilla cert bundle and use that.