Do you actually need CA Certificates?

External “Trusted” CAs

 There is a common misconception that security is improved Through installing certificates issued by “trusted” CAs. The truth is that certificates issued by external CAs like Thawte, Verisign and GoDaddy are no more secure than those you create yourself! In fact, by going to an external source in the first place, and trusting them with your Certificate Signing Request (CSR) and Privacy Key (PK) at all, you are placing the security of your organization in their hands! External CAs are generally security-aware, but they are also massive targets for hackers. The risk, if your data got exposed by an external CA, is that hackers could masquerade as you and potentially gain access to critical systems!

The use case for external “trusted” CAs is in creating a secure relationship with an unknown and unauthenticated target, like a visitor to your website, or a client accessing a fileshare server. Because you trust a specific CA, and the client also trusts that CA, you are able to establish secure public communications. I usually get public certificates from GoDaddy

Self-signed certificates are fine

Your self-signed certificates are legitimate certificates! Not only are they just fine, they are inherently more secure for internal use by known and authenticated users and services than would be a certificate generated by an external CA. Moreover, self-signed certificates can/are usually generated with expiration dates longer than the one-year commonly purchased through external CAs. Self-signed certificates can be generated with dates of 10 years or longer (as is the default on vCenter/VCSA).

The best way

While self-signed certificates are just fine, they are generally created individually on a per-server and per-device basis. That means that the certificate used by Veeam is not the same as the one used by vCenter,is not the same as the one used by IPMI, etc. The disadvantage is that every time you connect with a new device, you will be presented with a warning “untrusted”and you should really compare that certificate with the original server certificate before logging in, to confirm authenticity and avoid spoofing.

The absolute best way to use certificates and avoid external exposure is to create your own CA and generate your own certificates for internal use on servers and services. This is remarkably easy, though very time-consuming, and by doing so it is possible to install the certificate(s)you create on servers and devices to confirm their authenticity organizationally and not on a per-server basis! If you are interested in having me install external “trusted” CA Certificates, or in creating your own CA and installing internal certificates on your vSphere (vCenter, ESXi, SSO, vRealize, Horizon View, etc.), SANs and other devices; give me a call at: 928-606-0483

John Borhek

John Borhek (VCP 3-6.5) is the IT Director and Lead Solutions Architect at VMsources Group Inc. and an active consultant specializing in VMware vSphere, Linux, Networking and Infrastructure Design.

Leave a Reply

Your email address will not be published. Required fields are marked *