Referring to public CAs for secure enterprise communications can only be recommended under certain conditions.
- There is considerable effort involved in the issue of new certificates and this can be slow.
- The keys in use are transferred via connections which are inadequately secured.
- Communication is based upon the trust in the CA.
An alternative for company communications is to establish a proprietary CA. Suitable packages are the Microsoft CA on a Microsoft Windows 2003 server or, as an open source version, OpenSSL. A proprietary CA empowers you to issue and manage all of the necessary certificates for secure data exchange with complete independence from any external parties.
Companies are recommended to use a proprietary CA rather than public certifiers. There are, however, several important issues to be considered when planning a CA. For example, even as early as during the installation of a Windows CA, the validity period for the Root CAs has to be defined and cannot be altered subsequently. Other aspects of planning include:
- The certificate policy or the level of security that is to be achieved with certificates
- The available name space
- Key lengths
- The duration of certificate validity
- Managing blocking lists
Precise planning is strongly recommended since corrections at a later date often imply considerable amounts of effort.