Home / server / Questions / 362592
In Process
James Crowley
Asked: 2012-02-23 02:47:30 +0800 CST

Issuing client certificates to customers

  • 772

What's the best approach for issuing client certificates to customers? Should we run our own certificate services (we're on Win 2008 R2), and issue them that way? Is there a CA that will issue them for us? Comodo will issue client certificates for email purposes, but we need them for allowing our clients to access our website (via browser and API).

security ssl certificate certificate-authority

1 Answers

  1. A professional certificate authority business has more experience in securing CA transactions and can handle that outsourced, for a fee. This may be $10 a certificate but it can likely meet government or commercial standards that are applicable to regulated industries and general risk transfer (off your company).

    While $10 a pop may be daunting, keep in mind that a CA will also pick up for you all proper costs associated with running a real CA

    • Certificate Authority Physical Enclosures
    • Trained PKI staff
    • Certificate Policy (CP)
    • Certificate Practice Statement - (CPS) an SOP on how it works
    • Annual Auditing via an independent auditor
    • hardware security module procurement and operation
    • certificate authority software operation (root CA)
    • certificate authority software operation (Sub CA)
    • validation authority software operation
    • servers
    • datacenter space
    • security auditing of above infrastructure

    Working with a CAs could enable you to run a registration authority that determines who will get credentials, and hand off the more painful part to a CA, depending on the specific model of that CA.

    Windows based PKI implementations are generally insecure, have online and easily compromised PKIs that expose companies to risk. They rarely use HSMs, and a domain admin compromise can yield a complete PKI compromise.

    Standard digital certificates can be used for both accessing websites, as well as logon to domains, email encryption, signatures and physical entry, depending on the certificate and object IDs (OIDs). Digital certificates can be in software (vulnerable to theft) or hardware (more secure, but still compromise-able via malware MITM attacks).

    Many companies faced with the same decision as you partner with a PKI provider that will advise. But, there are several models for this

    • train staff up and go internal
    • engage a consultant and go internal
    • use an external provider
    • hybrid internal and external

    You can easily issue an RFI to several different CAs and PKI providers in order to determine their costs, and sample implementations they have performed for similar requirements as yourself. With a more detailed RFP, you could do extensive cost comparison between running PKI services internal to your company, outsourcing it, or a hybrid.

    With above data, and knowing your company's core competencies, you are prepared to make that decision about whether you should do it internally, externally, and with whom. Even if you decide to stay internal, you'll have learned a great deal more in the process.

    • 2