For an intranet server would you buy a ssl cert or use a self signed cert?

We have a webservice that our application uses and the developers require https connections to the webservice. Since this is an internal webservice would you use a self signed cert?


Rather than a self-signed cert I'd create a local root CA and then generate the SSL cert from that, ensuring that all internal systems have a copy of the root CA'sl public key.

Keys generated this way have plenty of uses outside of plain HTTPS, they can also be used for OpenVPN, POP3S, SMTPS, etc, even for individual SMIME accounts.

Having a single root CA for your organisation is a lot better than being held to ransom by the recognised CAs who'll charge you for each and every server you want a certificate for, and dare to charge you a "license fee" if you want to put the same cert on multiple servers in a load-balanced cluster.


try CAcert. they are free, you just need to have the root installed. one step above having self signed certificates.


If cost is an issue and you're Windows centric, as Mr. Denny suggests, go with Microsoft Certificate Services and deploy the certificates as part of the Default Domain GPO. You'll likely need three systems, but then can be VMs. You'll need the root CA, which should only be used for issuing the certificates for the intermediate CAs. You should have one intermediate CA as the Enterprise CA and then the third as a "stand-alone" CA so you can issue certs to non-domain assets.

If you've got a lot of clients and you are big enough, you may look at having a root from one of the third party solutions and issuing your own certificates from a CA that gets its certificate from said third party. That way you don't have to deploy the CA's certificate. For instance, there is a solution from GeoTrust.