|
Posted by S. Pidgorny on June 22, 2007, 8:14 am
If you were Registered and logged in, you could reply and use other advanced thread options
C - shop around
D - yes (also cost involved although indirect)
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
> Svyatoslav and Roger, thank you for your answers.
>
> Let me continue with collecting my conclusions:
>
> A. Making our own CA which issues certificates and signs them with the
> certificate which is signed by a world-wide trusted CA - it is an
> expensive
> solution and involves complicated procedures.
>
> B. Ordering a wild card certificate for the domain *.mycompany.com - it is
> also expensive, but much more cheaper then the solution A
>
> C. Ordering a certificate for an individual DNS name - it is relatively
> cheap.
> I guess the coming question needs rather to search for the prices on the
> CA
> websites, but perhaps you know:
> When we have - let's say - 30 instalations: is the variant C (with 30
> individual certificates) still cheaper than the variant B (with wild card
> cert)?
>
> D. Making our own root CA, but with our self-signed ceritficate. Then on
> the
> machines running the client's applications "our root CA" should be somehow
> added to the trusted agencies.
>
> I will be very thankful for confirmation or further comments :)
>
> Greetings,
> Polo.
>
> "Roger Abell [MVP]" wrote:
>
>> One other alternative, also not cheap, would be a wildcard cert
>> for SSL, which could work if all of your installs of the app ended
>> in say mycompany.com (app1.mycompany.com, etc.).
>> The price from a cert issuer in the public trust for wildcard SSL
>> cert is obviously than that of individual DNS host cert, but still
>> much below the licensing for issuing your own certs countersigned
>> by a public authority.
>>
>> Roger
>>
>> > Hi all,
>> >
>> > I am completely new to the certificate issues, so I guess my question
>> > is
>> > kind of basic one. I was searching in the Web but now I have kind of
>> > mess
>> > of
>> > information in my head ;) and I would like to make some order...
>> >
>> > We are making a Web application which receives and sends some XML. We
>> > want
>> > to make it working through the HTTPS. There will be more than one
>> > installations of this application. We need to get a certificate for
>> > each
>> > of
>> > those installations (as it is generated for a given DNS name), right?
>> >
>> > I guess this is important to ensure that the client applications (not
>> > the
>> > Web browser, just a dedicated application) will trust to the
>> > certificate
>> > used
>> > by our application. So, as far as I read about it, there are two
>> > possibilities to get such a certificate:
>> >
>> > 1. Order the certificate (for each DNS name) in a commercial world-wide
>> > trusted certification agency.
>> > 2. Install and maintain Microsoft Certificate Services and produce our
>> > own
>> > certificates (so it is making our own CA).
>> >
>> > As far as I understand, if we choose to use Microsoft Certificate
>> > Services
>> > and we want the client applications to trust to our certificate, we
>> > should
>> > sign our certificates with the certificate which is signed by a
>> > world-wide
>> > trusted CA. It means first we need to order one commercial certificate
>> > for
>> > signing the certificates generated by our local CA. Is that correct?
>> >
>> > Then the client applications will also trust to our certificate - and
>> > this
>> > will be because there is a "certificate path" to the trusted root
>> > certificate.
>> > Is this certificate path included in the certificate itself? Is there
>> > any
>> > performance issue connected to checking a certification path?
>> >
>> > As we are responsible for all the installations of our application, the
>> > only
>> > access to the Microsoft Certificate Services will be from inside of our
>> > company. However, the certificates generated by the Microsoft
>> > Certificate
>> > Services must be trusted by the client applications from outside of the
>> > company.
>> >
>> > Ok. Does it sound reasonable at all or I am missing the point?
>> > What are the advantages/disadvantages of the points 1. and 2.?
>> >
>> > I will be very thankful for answers.
>> >
>>
>>
>>
| 
XML site map