Home / server / Questions / 130673
Accepted
Max Schmeling
Asked: 2010-04-09 11:20:30 +0800 CST

Is there a difference between a self-signed certificate and one signed by your own CA?

  • 772

We need to use SSL on our internal network for a few sensitive applications, and I need to know if there is a difference between a self signed certificate and one signed by a Windows Server CA that we setup? Do we need to setup a CA?

security ssl-certificate

4 Answers

  1. Best Answer

    In the short term for a single service there isn't much difference.

    If you decide you need to setup up more services that use SSL, then you may find that setting up a CA would have been a better choice.

    If you setup a CA, you should be able to get your clients to trust the CA and thus any certs it signs. Once they CA is up adding additional services is easy. With lots of self-signed certs a user will have to accept each certificate separately.

    Are you saying you have a windows CA? If you already have one, I would use it. If you don't already have one, I would be tempted to use a lightweight system like TinyCA which you could run in a VM or off a Linux on a USB disk.

    • 11

  2. A certificate may contain information about which uses it is authorized for, such as whether it's allowed to be used for signing other public key certificates, or whether it's a CA certificate. Some implementations may check for that kind of information and refuse to honor a certificate for certain purposes without the right info

    Examples of these extra pieces of information include:

    • The "Key Usage" extension (OID 2.5.29.15), which might specify whether or not this certificate is allowed to be used for Key Certificate Signing.
    • The "Basic Constraints" extension (OID 2.5.29.19), which specifies whether or not this is a CA certificate.

    If you're creating your own self-signed cert, and you want to use it as a CA cert, and you want to increase your chances of having it accepted by whatever software you'll be using it with, you should probably make sure it contains properly-configured values for those two extensions I mentioned above.

    If you omit those two extensions, many implementations might still honor it as a CA cert, but some implementations might not.

    • 2

  3. If you want to sign your own certificates, you'll need a CA (whether it's yours or an official one). But, you don't need to push your CA to users unless you plan on signing multiple certificates and want your users only to have to accept one (i.e., if they install your CA, all certificates you issue will then be accepted). It might be better to push the CA in the long term.

    • 0

  4. Aren't they the same thing? A cert issued by your own internal CA is "self-signed", meaning it wasn't issued by an external CA, right?

    • -1