I borned in North Cyprus (http://en.wikipedia.org/wiki/Northern_Cyprus) and during my work life in Istanbul, I needed to declare that I'm working outside Cyprus for 7 years after university to be able to be exempt from military service.
For this, I spent hours to find an approved notary to seal my working declaration given by my company. Because, Cyrus Embassy only approves specific notaries. They have the Notaries signature samples and certification numbers as a catalog and only working declaration paper approved by those notaries were accepted.
This was how I get rid of military service.
Lets come to the point.
Now, If you check my previous eInvoicing (4-ways of doing eInvoicing in Turkey) and SSL related blog (By the Way, What is SSL?), you'll notice that a large number of Turkish Companies is going to install NetWeaver PI due to our eInvoicing solution. These blog series are triggered by this situation.
Now, it is time to deep dive into this SSL topic one-by-one.
Currently, TRA (Turkish Revenue Administration) provides 2 systems for eInvoicing infrastructure. One is for Testing Customers eInvoicing System Integrations, the otheri s for Productive eInvoicing Systems.
Integration betwwen customers eInvoicing System and TRA Systems is Web Service Integration and communication is taking place only with HTTPS protocol over 443 port.
TRA, allows customers to use a Self-signed Certificate for Test System but for Productive System, they require a Signed Certificate by a Public CA.
Now, our customers and even consultant within our company, project managers are wondering the difference between these 2 types of certificates.
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions.
Without SSL
With SSL
There are 2 reasons why we need SSL certificates:
Identification
This is all about trust. If you get a signed certificate from verisign you prove to random clients that your certificate is trusted. If you self-sign the certificate people not having your certificate installed on their computer cannot be sure that they aren't being attacked by an Man-in-the-middle attack.
If your webserver is just used by you, then you do not need a real CA (such as verisign) to sign your certificate. Just install the certificate on the machines that you want to use and you're good to go.
For identification:
In here, you can thing that the browser here is the Cyprus Empbassy who is asking for a trusted authority approval to identify you. And trusted authorities here are the notaries who was approving my work declaration papers.
It is always been told that SSL certificates are only secure if they are issued and signed by a trusted signing authority, and that we should never use a self-signed certificate except for limited internal use and for testing purposes. We would be crazy to implement a self-signed certificate in a production environment.
Why Pay a Certificate Authority?
A certificate authority tells your customers that this server information has been verified by a trusted source. The most commonly used Certificate Authority is Verisign. Depending upon which CA is used, the domain is verified and a certificate is issued. Verisign and other more trusted CAs will verify the existence of the business in question and the ownership of the domain to provide a bit more security that the site in question is legitimate.
The problem with using a self-signed certificate is that nearly every Web browser checks that an https connection is signed by a recognized CA. If the connection is self-signed, this will be flagged as potentially risky and error messages will pop up encouraging your customers to not trust the site.
When Can You Use a Self-Signed Certificate?
Since they provide the same protection, you can use a self-signed cerificate anywhere you would use a signed certificate. But some places work better than others.
Self-signed certificates are great for testing servers. If you're creating a website that you need to test over an https connection, you don't have to pay for a signed certificate for that testing site. You just need to tell your testers that their browser may pop warning messages.
What it comes down to is trust. When you use a self-signed certificate, you are saying to your customers "trust me - I am who I say I am." When you use a certificate signed by a CA, you are saying, "Trust me - Verisign/GlobalSign/otherCA agrees I am who I say I am."
Whether you get your certificate signed by a certificate authority or sign it yourself, there is one thing that is exactly the same on both:
In other words, both types of certificates will encrypt the data to create a secure website.
So, for test systems TRA accepts your word that "you're who you say you are", but for production eInvoicing Systems, TRA requires a CA (Notary) to approve "who you are".
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
5 | |
5 | |
4 | |
3 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 |