Pros and Cons of Creating an Internal Cerificate Authority

Solution 1:

If you host your own CA, it will only be valid in sites/computers that have your CA's root certificate installed. In other words, just because you have your own CA does not mean that your certificates will be trusted by strangers.

If all your servers are in-house and accessed by in-house software, then your own CA is the way to go. You can deploy the CA's root certificate by GPO (if you're on a domain then installing the CA role into a server should do this automatically), and then every machine on your domain will trust it automatically.

However, if your software is accessed publically (doesn't sound like it is), then the software at the other end may very well bring up certificate warnings stating that it does not trust your published. In that case, the only option you have is to purchase an SSL certificate from a trusted publisher (there are places much, much cheaper than Verisign if you don't need their insurance policies).

Solution 2:

An in house CA is only valid inside servers you own and and external cert is good anywhere. That's the basic answer but there is alot more to consider.

Pros

Cost- per cert cost is cheaper the more certs you generate

Revocation- it's very easy to revoke a cert you've generated, and you can give your certs short validity times

Access to free certs usually means greater usage- Usually folks will start signing their emails, and admins think about using domain and server isolation in mixed environments

Cons

Additional security requirements- This machine is possibly more important to secure than a domain controller. This system needs to be completely hardened. If you are using these certs for anything at all meaningful you need to consider the implications if those certs get compromised

Backup/high availability- Nothing says bad weekend like having HR tell you that your now dead CA gave them a cert they used to encrypt the payroll files and now can't decrypt the files because the cert can't be validated. Make sure it’s backed up often and is highly available

Liability- depending on what you want to use these for some C level exec may decide that all that money they spend on VeriSign certs is a waste because they've been using you certs just fine. If your certs get compromised and it's a VeriSign cert (and I'm simply using VeriSign as a placeholder for any third party CA) well that's easy to show that it's not your fault. If you own the CA...well it's possible that your next IT experience might be running the computerized cash register at the fast food restaurant of your choice.

Inability to use the cert external- It's not impossible to make your CA publically available, no one is going to trust a cert from your company. While that’s not a big deal it's a little more overhead to maintain 2 separate cert maintenance tasks (expiration times etc.). You could also consider buying a trusted root cert

Oh and if you need EV certs- you're upgrading to windows 2008

While it might seem like there are more cons, many of these are just things to be aware of rather than a true negative indicator.