Saturday, November 10, 2012

Weblogic SSL : Trusted certificate authority signed certificate vs. Self signed certificate


Weblogic SSL : Trusted certificate authority signed certificate ( third party signed ) vs. Self signed certificate


What is the difference between CA signed certificate and self signed certificate ?


If you build up or going to build any eCommerce website then, the first thing that will come to your mind is, security. How to make out website secure from the fraudulent and man in the middle attack. or you can say if you are going to access any ecommerce website with your confidential credentials then how could you know that you are accessing the trusted one website. so it's all about the identity, trust and security over the web.

So, certificate is a physical entity just like a file on your computer, which contains the identity of authority who is the actual owner of a website like name, address, host name for their website etc, and apart from that this certificate is signed by either owner of the website ( in this way it called self signed certificate ) or by some third party certificate authorities ( also called CA ) like verisign, thwate etc ( in this was it is called third party or trusted certificate authority signed certificates.

To understand this properly you have to study further on some more topics like SSL, keystores, public and private key, digital certificate, identity and trust etc. I will be publishing another blog about them very soon. 

So net net, the difference between a self signed and trusted third party signed certificate is, a self sign certificate is self signed by the owner ( or you can say by yourself if you are going to create it for your environment ) however a third party CA certificated is signed by the third party authorities which is the recommended for your production live environments.

So, certificate is all about the encryption of data exchanging between you and the trusted destination, like your browser and any secure website you are going to access, to make sure no one can attack in the middle to get your credentials. 

One thing that is exactly the same on both type of certificates is - Regardless of whether certificate is self signed or by third party,  Both certificate will encrypt the data between source ( your browser ) and destination ( any secure website you are going to use ). 

You may get a question on your mind then why to use  third party signed certificate by paying the money ? 

Ok, the main difference is, On a CA signed certificate, the website owner and details verified by the certificate authority and as a customer you can trust blindly on any CA signed secure website but self sign certificate is signed by the owner of website itself so you can't trust on that because it wasn't identified and trusted by you or anyone.  And another thing is, if you are using a self sign certificate then on every access of your website you or customer it will be flagged as potentially risk there and you will get a security window there because almost every browser check if the secure ( https ) certificate is trusted by any CA or not and if not you or customer will get security risk flag. So you are trying to access any website that is showing you a security risk flag then make sure to investigate everything properly before you make it as trusted.

So Net Net, On every access of a secure website trusted or signed by the trusted CA, your browser will first check if that certificate is issues by any certificate authority and valid or not, then it will start further chain of trust. However, in case of self sign certificate, your browser will not check if certificate is issued by CA or not and will prompt you a security risk flag popup.


So if you are the owner of a website and -  

If you are using a self sign certificate then to a customer who is going to access your website, you are going to say "Hey trust me, I am who I say I am", its up to the customers if they trust you and provide their secure information over your website like account details, passwords etc based on your words :) 

If you are going to use a trusted CA certificate then you can say to a customer who is going access your website that "hey this is my website and it is trusted by verisign ( or whoever trusted authority you have used ), Now customer has no hesitation providing their secure credentials over your website.

So, Net Net, you should not use self-signed certificates for professional use, as your visitors will not trust your web site to be safe. 

So, If you are going to do any business over a website or if your website need customers secure credentials then make sure to secure your website using trusted CA certificates instead of just self sign certificates.

So, self sign certificates basically used in your non prod testing environments where you have to test your application for secure https functionality before implementing on live production environment. 




Stay tune for more on weblogic server SSL server information and implementation.



Tags : weblogic self sign certificates, trusted certificate authority, weblogic ssl configuration, generate self sign certificate, ssl configuration in weblogic





No comments:

Post a Comment