Can I use a Private CA instead of a Public CA in Edge Services?


I got an email a couple of days ago from a concerned IT Pro:

“…I read that public interface of edge server must have public certificate (this link in edge server document:

http://r.office.microsoft.com/r/rlidOCS?clid=1033&p1=SupportedCAs)

I want to know whether I must use a Public CA or can I use the Private CA in my company?…”

 

That link doesn’t specify that you must use a Public CA cert, its saying that there are specific requirements for advanced functionality of the certificate. That said the documentation also provides a link to show you how to get this working with your own Private CA too. So yes it can work with your Private CA by enabling the use of Subject Alternate Names or in other words the ability to support multiple URLs to be valid with the one certificate.

So why wouldn’t you use your own Private CA for everything given that’s much cheaper than paying someone else for the same thing (ie: a Public CA signed cert)?

When we make an SSL connection to a service – whether that be HTTP or otherwise – it requires three things to verify the validity of the connection.

1. Is the Root CA who signed the certificate trusted?

2. Is the destination URL of what we have typed (or have hard-coded) actually matching the name of the URL in the certificate?

3. Is the certificate time and date valid (ie: not expired)?

The big issue is the certificate trust chain. If you are using your own Private CA and have not exported the Root CA certificate chain to every client you intend that will connect to your service then SSL negotiation will fail as it wont be able to trust the certificate properly because it cant verify the signature.

That’s the big value with using a Public CA…the root of that CA is (generally) in every browser and OS meaning you don’t need to configure anything on the client for SSL negotiation to work.

Hope this helps!


Comments (2)

  1. Joachim Farla says:

    See my weblog for more information. Our customer would like to use external certificates. That’s also possible.

    URL: http://unified-communications.blogspot.com/2007/10/e-office-deployed-ocs-for-almost-2500.html

    Joachim Farla

  2. Pete Calvert says:

    Will it fail though? Or prompt whether or not to trust the certificate?

    The purpose of SSL it 2-fold.

    First it is to enable the data stream to be encrypted – i.e. confidentialty.

    Second – though the use of certificates – to verify the endpoints – i.e. authentication.

    If the purpose of SSL is just for confidentiality and you aren’t fussed with authentication (or have some other mechanism for providing it) then how much extra effort is really involved for a user to click Yes I trust this certificate?