TLS/SSL has become a de-facto protocol even for development and internal APIs.
Many projects resort to self-signed/self-generated certificates. These certificates, however, have a large downside. It’s difficult to frequently refresh them since all the clients would have to update them at the same time so that they remain trusted.
To minimize the effort, self-signed certificates are often issued for several years, which, of course, compromises security.
An internal Certificate Authority can be used instead to avoid the issue of updating expired self-signed end certificates.
An internal CA can be issued for multiple years, so there is no need for frequent updates across all clients.
An internal CA is really not much different from an “official” CAs like DigiCert. DigiCert would simply verify domain ownership before signing the certificate request. Once this is done, it would signs our certificate request thus creating a valid X.509 cert. The signature (usually using SHA256WITHRSA) is stored in a separate field in the X.509 cert as defined in rfc5280.
If needed, an internal CA could conduct a more in-depth verification of the request, including obtaining information on what kind of service the new certificate will be used for.
It can also mandate various extensions on key usage thus making the cert more secure. Of course, certificate duration can be reduced to six months or less; there is really no reason why a certificate should be valid for 12 months.
 
Read the rest of this post »
