Request a certificate from the certificate authority

2018-06-20 20:45:16

Phishing question.

I have a tcp server application that uses certificates for tls/ssl and stored in the pkcs#12 file. Assuming a CA is installed somewhere on the network and is accessible, would it be normal practice to request a ssl certificate from the CA (once), programmatically (C#) and write it out to the pkcs#12 file for use by the server.

Would that be normal practice, or would the more likely scenario be a case of buying the certificate from a CA like Thawte or Versign etc, specically for that customer, and creating the pkcs#12 file beforehand, and installing as part of installation process.

I think this is a case where the argument can go either way.

Programmatic certificate requests and signing have their merits if you need to manage a large number of sites, at the loss of human-mediated validation if something goes horribly wrong (for example, if someone hijacks or listens in on your initial request). At some point, a trust decision needs to be made, either programmatically, or as a human operator.

This paper by Bruce Schneier goes into more detail, discussing potential risks to the CA architecture underpinning the trust decisions for PKI cryptography. I believe this covers many cases that are pertinent to your issue and your design that you may not have, and should, consider.

链接地址: http://www.djcxy.com/p/58640.html

上一篇: 按需安装宝石

下一篇: 从证书颁发机构申请证书