SSL签名证书供内部使用 [英] SSL signed certificates for internal use
问题描述
我有一个分布式应用程序,由许多组件组成,这些组件通过TCP(例如JMS)和HTTP进行通信。所有组件都在具有内部IP地址的内部硬件上运行,并且公众无法访问。
I have a distributed application consisting of many components that communicate over TCP (for examle JMS) and HTTP. All components run on internal hardware, with internal IP addresses, and are not accessible to the public.
我想使用SSL使通信安全。从知名的证书颁发机构购买签名证书是否有意义?还是应该只使用自签名证书?
I want to make the communication secure using SSL. Does it make sense to purchase signed certificates from a well-known certificate authority? Or should I just use self-signed certs?
我对受信任证书的优点的理解是,授权机构是可以被大众信任的实体,但这只是当大众需要时才需要解决的问题。确保特定域中的实体就是他们所说的。
My understanding of the advantage of trusted certs is that the authority is an entity that can be trusted by the general public - but that is only an issue when the general public needs to be sure that the entity at a particular domain is who they say they are.
因此,在我的情况下,如果同一组织负责通信两端的组件,以及两者之间的所有内容,那么公共信任的权威将毫无意义。换句话说,如果我为自己的服务器生成并签署了证书,那么我知道它是可信赖的。并且永远不会要求组织外部的任何人信任此证书。这就是我的推理-我是正确的,还是使用来自已知权威的证书有潜在的优势?
Therefore, in my case, where the same organization is responsible for the components at both ends of the communication, and everything in between, a publicly trusted authority would be pointless. In other words, if I generate and sign a certificate for my own server, I know that it's trustworthy. And no one from outside the organization will ever be asked to trust this certificate. That is my reasoning - am I correct, or is there some potential advantage to using certs from a known authority?
推荐答案
您无需将外部公共CA用于封闭社区项目。在许多大型组织中,他们运营内部PKI来为此类内部项目颁发证书。使用PKI的一个优点是,您可以基于一个安全地分发的根证书/信任锚,在各个组件之间建立信任关系。
There is no need for you to use an external public CA for a closed community project. In many larger organisations they operate an internal PKI to issue certs for internal projects like this. An advantage of using a PKI is that you can setup a trust relationship between the various components based on a single securely distributed root certificate / trust anchor.
但是,如果项目允许内部用户通过他们的Web浏览器安全地连接到内部服务,您可能需要考虑使用公共CA颁发的证书。另一种方法是确保可能需要连接到您的服务的每个浏览器都信任您的根证书;这是为了防止浏览器发出警告消息。
However, if the project allowed internal users to connect securely to an internal service via their web browser you may want to consider using a public CA issued cert. The alternative is to make sure that every browser that may need to connect to your service trusted your root cert; this is to prevent browser warning messages.
这篇关于SSL签名证书供内部使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
