SSL: Signed vs Self-Signed Certificates
I borned in North Cyprus (http://en.wikipedia.org/wiki/Northern_Cyprus) and during my work life in Istanbul, I needed to declare that I’m working outside Cyprus for 7 years after university to be able to be exempt from military service.
For this, I spent hours to find an approved notary to seal my working declaration given by my company. Because, Cyrus Embassy only approves specific notaries. They have the Notaries signature samples and certification numbers as a catalog and only working declaration paper approved by those notaries were accepted.
This was how I get rid of military service.
Lets come to the point.
Now, If you check my previous eInvoicing (4-ways of doing eInvoicing in Turkey) and SSL related blog (By the Way, What is SSL?), you’ll notice that a large number of Turkish Companies is going to install NetWeaver PI due to our eInvoicing solution. These blog series are triggered by this situation.
Now, it is time to deep dive into this SSL topic one-by-one.
Currently, TRA (Turkish Revenue Administration) provides 2 systems for eInvoicing infrastructure. One is for Testing Customers eInvoicing System Integrations, the otheri s for Productive eInvoicing Systems.
Integration betwwen customers eInvoicing System and TRA Systems is Web Service Integration and communication is taking place only with HTTPS protocol over 443 port.
TRA, allows customers to use a Self-signed Certificate for Test System but for Productive System, they require a Signed Certificate by a Public CA.
Now, our customers and even consultant within our company, project managers are wondering the difference between these 2 types of certificates.
- Why SSL Certificates exists and required?
- What is Self-signed and what is Signed Certificate?
- Is the traffic encrypted even we use Self-signed certificate?
1. Why SSL Certificates exists?
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions.
There are 2 reasons why we need SSL certificates:
- Encrpytion: Hiding what is sent from one computer to another.
- Identification: Making sure the computer you are speaking to is the one you trust.
- Computers agree on how to encrypt
- Server sends certificate
- Your computer says “start encrypting”
- Server says “start encrypting”
- All messages are now encrypted
This is all about trust. If you get a signed certificate from verisign you prove to random clients that your certificate is trusted. If you self-sign the certificate people not having your certificate installed on their computer cannot be sure that they aren’t being attacked by an Man-in-the-middle attack.
If your webserver is just used by you, then you do not need a real CA (such as verisign) to sign your certificate. Just install the certificate on the machines that you want to use and you’re good to go.
- Company asks CA for a Certificate
- CA creates Certificate and signs it
- Certificate installed in server
- Browser issued with root Certificates
- Browser trust correctly signed Certificates
In here, you can thing that the browser here is the Cyprus Empbassy who is asking for a trusted authority approval to identify you. And trusted authorities here are the notaries who was approving my work declaration papers.
2. What is Self-signed and what is Signed Certificate?
It is always been told that SSL certificates are only secure if they are issued and signed by a trusted signing authority, and that we should never use a self-signed certificate except for limited internal use and for testing purposes. We would be crazy to implement a self-signed certificate in a production environment.
Why Pay a Certificate Authority?
A certificate authority tells your customers that this server information has been verified by a trusted source. The most commonly used Certificate Authority is Verisign. Depending upon which CA is used, the domain is verified and a certificate is issued. Verisign and other more trusted CAs will verify the existence of the business in question and the ownership of the domain to provide a bit more security that the site in question is legitimate.
The problem with using a self-signed certificate is that nearly every Web browser checks that an https connection is signed by a recognized CA. If the connection is self-signed, this will be flagged as potentially risky and error messages will pop up encouraging your customers to not trust the site.
When Can You Use a Self-Signed Certificate?
Since they provide the same protection, you can use a self-signed cerificate anywhere you would use a signed certificate. But some places work better than others.
Self-signed certificates are great for testing servers. If you’re creating a website that you need to test over an https connection, you don’t have to pay for a signed certificate for that testing site. You just need to tell your testers that their browser may pop warning messages.
What it comes down to is trust. When you use a self-signed certificate, you are saying to your customers “trust me – I am who I say I am.” When you use a certificate signed by a CA, you are saying, “Trust me – Verisign/GlobalSign/otherCA agrees I am who I say I am.”
3. Is the traffic encrypted even we use Self-signed certificate?
Whether you get your certificate signed by a certificate authority or sign it yourself, there is one thing that is exactly the same on both:
- Both certificates will generate a site that cannot be read by third-parties. The data sent over an https connection or SSL, will be encrypted regardless of whether the certificate is signed or self-signed.
In other words, both types of certificates will encrypt the data to create a secure website.
So, for test systems TRA accepts your word that “you’re who you say you are”, but for production eInvoicing Systems, TRA requires a CA (Notary) to approve “who you are”.