At work, I have a bunch of web interfaces that use plain http or self signed certificates (load balancer management interface, internal wiki, cacti, …).
None is reachable from outside specific vlans/networks.
For home usage, I use cacert SSL certificates.
I was wondering if I should suggest my employer to use cacert SSL certificates instead of self signed certificates and plain http. Anyone use cacert ssl in production? What are the pro/cons? Does it improve security? Is it easier to manage? Anything unexpected? Can it affect qualys scans? How can I convince them?
Of course, paid certificates for public websites would remain unchanged.
Edit :
(just curious) Free ssl certificate from companies do not seem to be class 3. I had to show my passport and be present physically to get class 3 from cacerts. Isn't there warning in browsers for each class 1?
Anyway, I would have the same question about any free CA : Is it better than using self signed and plain http, and why ?
I would do it for ease of management, server side. Anything I missed?
Disclaimer : I'm not a cacert association member , not even Assurer, just a regular happy user.
Best Answer
I would advise that while there's nothing wrong with using free certs, like from CACert, you probably won't gain anything from doing so either.
Since they're not default trusted by anything, you'll still need to install/deploy the root certificate to all your clients, which is the same situation you'd be in with self-signed certs or certs issued by an internal CA.
The solution I prefer (and use) is an internal Certificate Authority and a mass deployment of its root certificate to all domain machines. Having control over the certificate authority you use makes certificate management a lot easier than even through a portal site. With your own CA, you can generally script up a certificate request and corresponding certificate issue so that all your servers, sites, and anything needing a certificate can get it automatically and be trusted by your clients almost immediately after being put into your environment, with no effort or manual tasks by IT.
Of course, if you not up to the task of setting up and automating your own CA, then using an external free one like the one you mentioned could make your life a little easier, only having to deploy one external root certificate... but you should probably try to do it right the first time, and set up an internal CA for your domain.