External “Trusted” CAs
There is a common misconception that security is improved Through installing certificates issued by “trusted” CAs. The truth is that certificates issued by external CAs like Thawte, Verisign and GoDaddy are no more secure than those you create yourself! In fact, by going to an external source in the first place, and trusting them with your Certificate Signing Request (CSR) and Privacy Key (PK) at all, you are placing the security of your organization in their hands! External CAs are generally security-aware, but they are also massive targets for hackers. The risk, if your data got exposed by an external CA, is that hackers could masquerade as you and potentially gain access to critical systems!