Things often turn out great when you do them yourself. But when it comes to signing SSL certificates, you might want to give that DIY project a second thought. Before digging deep into the risks of using self-signed certificates, let’s spend some time getting re-acquainted with the functions of SSL certificates.
What do SSL certificates do?
The functions performed by SSL certificates can be broadly classified into two categories:
- Encryption: SSL certificates encrypt data in transit using Secure Socket Layer (SSL) protocol. When you reach out to a website, SSL certificates ensure that the communication between you and the website remains private.
- Authentication: SSL certificates certify the validity of an organization, so that users can make sure they’ve reached the correct website and feel safe sharing their private information.
Risks of using self-signed certificates.
SSL certificates are generally signed and issued by trusted third parties called certificate authorities (CAs). CAs verify that website owners really are who they claim to be (that’s right, browsers don’t trust you). If your organization has any public-facing websites, it’s best to use CA-signed certificates. Signing SSL certificates on your own can put you through either one or both of the problems below.
- Browser security warnings: If you’re using self-signed certificates, browsers will display security warnings to visitors on your website, indicating that it is not safe enough for him/her to share private data with your organization. This drastically brings down the trust customers have in your organization and is a huge blow to your reputation.
- Website phishing due to key compromise: Self-signed certificates originate internally, meaning the private keys remain with you. If you don’t keep track of your private keys, chances are high that they might land in the wrong hands. Attackers who have access to your private keys can create a similar certificate, set up a duplicate server, spoof your website, divert internet traffic, and steal your customers’ data. Self-signed certificates can turn into a complete disaster for you and your customers if private keys are compromised.
Replace self-signed certs with domain-validated certs.
So, the next immediate question that pops in your mind should be “Am I ever allowed to use self-signed certs?” Technically, yes. You can use self-signed certs if your website isn’t public-facing, i.e. when you’re developing/testing an application or using a website for intranet connections. But, what if there are attackers within your network who try to launch an MITM attack and steal corporate data?
The best and safest way out is finding all your self-signed certificates and replacing them with domain-validated (DV) certificates. These self-signed certs can remain hidden in your network and it’s hard to manually discover them all without an automated certificate management solution. And if you are a big organization using a large number of SSL certs, it gets a lot tougher!
Key Manager Plus is worth a shot.
Key Manager Plus, our web-based SSL certificate and SSH key management solution, can help you deal with self-signed certificates. Key Manager Plus filters all your self-signed certs and helps you replace them with DV certs within a few minutes.
Also, Key Manager Plus is integrated with Let’s Encrypt, the renowned open CA, which makes it a lot easier for you to acquire new DV certs in replacement of the self-signed ones. Here’s how it’s done with Key Manager Plus:
- Use Key Manager Plus to scan your SSL environment and filter all the self-signed certs.
- Revoke the self-signed certs.
- Request new DV certs from Let’s Encrypt to replace the self-signed certs.
- Deploy the new certs to their corresponding domain servers.
Refer to our detailed help documentation to learn more about replacing your self-signed certificates.
So go ahead, and give the trial version of Key Manager Plus a shot! You can write to us at keymanagerplus-support@manageengine.com for further assistance.
Click here to download Key Manager Plus.
