使用自签名的root ca来获得休息服务的利弊是什么？ [英] What are the pros and cons using a self signed root ca for securing a rest service?

问题描述

我们正在尝试部署REST服务（该服务不会面向互联网），并希望使用ssl保护它。为此，我们需要证书并且为了使事情变得更容易，我们在安装时创建了一个根CA。

We are trying to deploy a REST service (service would not face the internet) and would like to secure it using ssl. For this we need certificates and to make things easier we are creating a Root CA at install time.

这是个好主意吗？使用自签名证书的优缺点是什么？这是一个好习惯吗？

Is this a good idea? What are the pros and cons using self signed certificate? Is this a good practuice?

我是这个领域的新手，因此，如果我问一些愚蠢的事情，请对我温柔！

推荐答案

使用自签名证书的优点是，在开发时可以节省一些钱。缺点是您会使编写客户端更加困难，或者要求用户单击严重可怕警告。我真的建议您不要告诉用户单击BSW，因为BSW是保护用户免受攻击者执行中间人攻击之类的保护的重要组成部分。

The pro of using a self-signed certificate is that you save a bit of money when developing. The con is that you make writing the clients harder or require users to click through a "Big Scary Warning". I really advise never telling users to click through BSWs, as they're a key part of the protection for users against attackers doing things like man-in-the-middle attacks.

看，获得一个简单的真正的单主机证书确实很便宜（每年几美元）。尝试节省这么少的钱是不值得的。当您要建立私有CA并关闭对所有标准CA的支持时， 才是值得的。这有点偏执，但是在高安全性配置中是可以接受的，在这种配置中，分发专用CA证书并将其安装在客户端中的痛苦是可以承受的。但是通常，最便宜的只是购买便宜的证书……

Look, getting a simple real single-host certificate is really cheap (as in a few dollars per year). It's not worth trying to save that small an amount. Where it is worthwhile is when you're going to set up a private CA, and to turn off support for all the standard CAs; that's paranoid, but acceptable in a high-security configuration where the pain of distributing the private CA certificate and installing it in clients is bearable. But usually it's sanest to just buy a cheap certificate…

这篇关于使用自签名的root ca来获得休息服务的利弊是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！