Self-signed certificate

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies. This term has nothing to do with the identity of the person or organization that actually performed the signing procedure. In technical terms a self-signed certificate is one signed with its own private key.

In typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information).[1]

Security issues

CAs are third parties and require both parties to trust the CA. (CAs are typically large, impersonal enterprises and a high-value target for compromise.) If the parties know each other, trust each other to protect their private keys, and can confirm the accurate transfer of public keys (e.g. compare the hash out of band), then self-signed certificates may decrease overall risk. Self-signed certificate transactions may also present a far smaller attack surface.

Self-signed certificates cannot (by nature) be revoked,[2] which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. CAs on the other hand have the ability to revoke any compromised certificates they signed if alerted, which prevents its further use.

Some CAs can verify the identity of the person to whom they issue a certificate; for example the US military issues their Common Access Cards in person, with multiple forms of other ID, and only when a higher authority requires the issue.

Other issues

Cost Self-signed certificates can be created for free using a wide variety of tools including OpenSSL, Java's keytool, Adobe Reader, and Apple's Keychain. Certificates bought from major CAs often cost around a hundred dollars per year. In December 2015[3] Mozilla Foundation has launched Let's encrypt, which allows one to obtain a DV certificate for free.

Speed to Deploy Self-signed certificates require the two parties to interact (e.g. to securely trade public keys). Using a CA requires only the CA and the certificate holder to interact; the holder of the public key can validate its authenticity with the CA's root certificate.

Customization Self-signed certificates are easier to customize, for example a larger key size, contained data, metadata, etc.

See also

References

  1. PERLMAN, RADIA (1995). Network Security Private Communication in a PUBLIC World. Prentice Hall. p. 190. ISBN 0-13-061466-1.
  2. http://www.ietf.org/rfc/rfc2459.txt
  3. "Public Beta". Let's encrypt. Retrieved 2015-12-06.
This article is issued from Wikipedia - version of the 9/8/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.