Any advantage of using SSL with a certificate of authority?
Looking to implement SSL. Every tutorial/sample I have found uses self
signed certificates. Would there be any advantage of using a certificate
from a CA such as digicertor rapidssl?
Att.
==
Jesus Rafael Sanchez Medrano
"Life is a dream, of which all must wake up"
On Tue, Nov 26, 2013 at 02:24:01PM -0400, Jesus Rafael Sanchez Medrano wrote:
Looking to implement SSL. Every tutorial/sample I have found uses self signed
certificates. Would there be any advantage of using a certificate from a CA
such as digicertor rapidssl?
Well, by using a CA you are giving the CA rights to the key, while you
fully control a self signed key. Since you probably don't expect
unknown individuals to be connecting to your database, and self signed
key is recommended.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 11/26/2013 10:24 AM, Jesus Rafael Sanchez Medrano wrote:
Looking to implement SSL. Every tutorial/sample I have found uses self
signed certificates. Would there be any advantage of using a
certificate from a CA such as digicertor rapidssl?
depends entirely on your use case. generally, since you control both
ends of a postgresql connection, there's no advantage to using signed
certificates, but if you have your own CA already, by all means go ahead
and use it.
--
john r pierce 37N 122W
somewhere on the middle of the left coast
On Tue, Nov 26, 2013 at 10:33:47AM -0800, John R Pierce wrote:
On 11/26/2013 10:24 AM, Jesus Rafael Sanchez Medrano wrote:
Looking to implement SSL. Every tutorial/sample I have found uses self
signed certificates. Would there be any advantage of using a certificate
from a CA such as digicertor rapidssl?depends entirely on your use case.��� generally, since you control both ends of
a postgresql connection, there's no advantage to using signed certificates, but
if you have your own CA already, by all means go ahead and use it.
Yes, definately use your private CA so you can verify the chain. It is
public CAs that are not useful in this case.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Tue, Nov 26, 2013 at 1:31 PM, Bruce Momjian <bruce@momjian.us> wrote:
Well, by using a CA you are giving the CA rights to the key, while you
fully control a self signed key. Since you probably don't expect
unknown individuals to be connecting to your database, and self signed
key is recommended.
You never give the key to them, just a signing request based on the key.
You lose no control over anything. They will in general insist your key be
at least 2048 bits.
The only advantage of having a CA key is if the client does authentication
of the server, and you have no prior arrangement with the client to accept
a certificate from your signing authority.
Using self-signed certs you can give them longevity of 10+ years, so never
have to worry about them again :)
On Tue, Nov 26, 2013 at 02:18:58PM -0500, Vick Khera wrote:
Using self-signed certs you can give them longevity of 10+ years, so never
have to worry about them again :)
Unless of course you turn out to have a weak algorithm and, say, No
Such Agency decides to take up residence on your network. (It's not
clear that CAs are any protection against that either, though, of
course.) In general, 10+ years is probably too short a time to be
using a cert unless you are completely certain to whom it could be
exposed. (Some would argue that if you had that certainty, you might
not need TLS/SSL anyway. I guess I'd respond that you could use TLS
anyway because it would help in case of a network compromise.)
Best,
A
--
Andrew Sullivan
ajs@crankycanuck.ca
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
There is a downside to self-signed certificates.
1. A self-signed certificate can be issued by anybody, there is no way
of authenticating the issuer.
2. Distributing self-signed certificates becomes a pain - if signed by
a CA, its easy to lodge your public key where everybody can find it,
and knows where to look for it.
3. Maintenance becomes a problem
I only use self signed certs for testing.
Robin St.Clair
Show quoted text
On 26/11/2013 19:34, Andrew Sullivan wrote:
On Tue, Nov 26, 2013 at 02:18:58PM -0500, Vick Khera wrote:
Using self-signed certs you can give them longevity of 10+ years, so never
have to worry about them again :)Unless of course you turn out to have a weak algorithm and, say, No
Such Agency decides to take up residence on your network. (It's not
clear that CAs are any protection against that either, though, of
course.) In general, 10+ years is probably too short a time to be
using a cert unless you are completely certain to whom it could be
exposed. (Some would argue that if you had that certainty, you might
not need TLS/SSL anyway. I guess I'd respond that you could use TLS
anyway because it would help in case of a network compromise.)Best,
A
On 11/26/2013 12:16 PM, Robin wrote:
1. A self-signed certificate can be issued by anybody, there is no
way of authenticating the issuer.
2. Distributing self-signed certificates becomes a pain - if signed
by a CA, its easy to lodge your public key where everybody can
find it, and knows where to look for it.
3. Maintenance becomes a problem
while that's all true for public https or whatever, none of this applies
to a point to point connection like libpq -> postmaster.
--
john r pierce 37N 122W
somewhere on the middle of the left coast
On Tue, Nov 26, 2013 at 12:30:08PM -0800, John R Pierce wrote:
On 11/26/2013 12:16 PM, Robin wrote:
1. A self-signed certificate can be issued by anybody, there is no way of
authenticating the issuer.
2. Distributing self-signed certificates becomes a pain - if signed by a
CA, its easy to lodge your public key where everybody can find it, and
knows where to look for it.
3. Maintenance becomes a problemwhile that's all true for public https or whatever, none of this applies to a
point to point connection like libpq -> postmaster.
Right. I know of no mechanism to verify a certificate via a public CA
through SSL. Browsers have a list of trusted certificates, but SSL
alone doesn't, as far as I know.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ Everyone has their own god. +
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Tue, Nov 26, 2013 at 4:48 PM, Bruce Momjian <bruce@momjian.us> wrote:
Right. I know of no mechanism to verify a certificate via a public CA
through SSL. Browsers have a list of trusted certificates, but SSL
alone doesn't, as far as I know.
SSL as a library/protocol has mechanisms to verify the certificates. The
list of certificates that are trusted is left to the implementation. Most
people install the mozilla cert bundle and use that.