The benefits of creating your own Certificate Authority

Using your own digital certificates to internal corporate networks, such as intranets and the VPN, enable your business to save a lot of money.

Digital certificates form the basis for the infrastructure work technology of public key (PKI). These technologies are widely used for:

• encrypting e-mail messages,
• the electronic signature of documents
• access VPN networks
• server SSL authentication,
• digital signature of the executable code, etc.

Certificates – an important component in the security strategy based on PKI, because they allow to identify the owner of a particular public key.

Having a someone’s public key, you are sending encrypted information to the recipient and, using his private key, he decrypts it. If you receive a message encrypted by the sender with his private key, you can check the authorship, deciphering it with the sender’s public key from certificate of recipient.

Certificates are usually issued to Certificate Authority (CA) – trusted third-party side, involved in the transmission of confidential information. CAs have root certificates (certificates containing their public keys), bundled with popular browsers. CA provides the accuracy of the certificates, issued by them, by adding them to the signature created on the CA private key. Because each browser has the open cryptographic key of CA, it can confirm that the certificate really sent by CA.

Such CAs like Symantec, for example, has a good reputation and their services are paid accordingly. Such authorities has price for the certificate, depending on the length of the key, and on the basis of the average amount of the costs required to verify the information about the owner of the procedure. For example, a standard annual Symantec certificate worth $ 400 or more, while the Extended Validation certificate costs, implying a more detailed check information about the owner, is 1500 $ or more per year.

But if your web server is safe and is used only by employees of your organization, or encrypted messages addressed only to your employees, or you are using digital certificates to identify your employees, VPN-networks, then there is no need to pay for the work of CAs.

The advantage of creating your own CA is obvious – the existence of an unlimited number of free certificates. However, you will need to buy a license to use the CA software package or deploy CA with a free OpenSSL and cover the cost of the hardware.

An important condition is also securely stored private key of the CA administrator, in order to avoid cases of cyber fraud and forgery of certificates. Of course, it may be safer than resorting to third-party assistance in the face of third-party CA.