0

Let's say a web server would like to host traffic over HTTPS. My incomplete understanding is that TLS enables HTTPS.

client <--- HTTPS (over TLS) ---> server

The server must produce a certificate to present to the client, who then must trust it to proceed the HTTPS communication. The server has 2 options to get a certificate:

  1. Buy a certificate from a "Trusted Certificate Authority"
  2. Create a certificate

In the first case, as I understand, the client's run-time, e.g. Java's JRE, will trust the certificate.

However, in the second case, as I understand, the client must add the "certificate" to their "trust store."

Assuming the above is partially correct, why would a company choose the second option, i.e. produce their own certificate?

Kevin Meredith
  • 121
  • 5

1 Answers1

1

Let's say I'm running a network of IOT devices and I want to enable trusted communications with them. If they're running with a standard certificate store, they'll trust any site with a certificate in their store. Alternatively, I could create my own PKI (Public Key Infrastructure), install only my certificate and these devices will only trust me. I can use this certificate to create encrypted sessions, monitor systems, deploy patches etc.

Another example is installing certificates on desktop endpoints and rejecting domain connections from systems without those certificates.

Another example would be installing certificates on payment terminals.

Consider also using client-side certificates to permit mutual authentication in client-server communications.

So, installing your own certificates can be a cheap way of creating a private trusted network.

AndyMac
  • 3,159
  • 13
  • 21