Problem #1: Frequent Display of Security Warnings
Self Signed SSL certificates often display security Experience Certification warnings because browsers such as Internet Explorer (IE) do not recognize these certificates. Every browser has a defined list of ‘Trusted Root Certification Authorities’ – some publicly available, some not – and will scan web servers to see if an SSL certificate is installed. If the certificate in the server does not fall in the list of trusted root Certificate Authorities (CAs) in the browser, the security warning will be prompted. These warnings can affect brand reputation and business, chasing new and returning visitors away.
Problem #2: Missing Components
Because the certificate is self-generated, there will be several components in the certificate missing, making servers vulnerable with the certificate installed. Some common important elements include:
(1) Missing EKU (extKeyUsage) Information
– Missing TLS Web Server Authentication EKU OR
– Missing TLS Web Client Authentication EKU
EKUs indicate what the public key in the certificate will be used for – a client or a server. The CA/B Forum requires all publicly trusted SSL certificate to include web server authentication EKU, web client authentication EKU or both.
(2) Missing AIA
Authority Information Access information is used by browsers and other applications to check on the validity of an SSL certificate. If this is missing, the certificate will be viewed as dangerous and unsafe by browsers, displaying a warning message on browsers.
(3) Missing Basic Constraints
Every software library reads digital certificates slightly differently.
It is always good to include basic constraints information so that each library can identify the certificate as an End Entity and that there will be no mistake in identifying the certificate wrongly – such as malicious certificates.
(4) Missing Key Usage Digital Signature
A key usage digital signature affirms the use of the certificate for a specific purpose. If the Key Usage is missing, cyber attackers can exploit the certificate and use it for vicious purposes.
Problem #3: It Gets Outdated Fast
The SSL/TLS protocol goes through continual rounds of changes as researchers seek to improve the encryption technology. As of today, TLS 1.2 is the latest release, with TLS 1.3 on its way. With self-signed certificates, the certificate gets outdated fast, exposing servers with vulnerabilities from previous protocols.
Solution: Eradicating Problems with CA Certificates
Major browsers such as IE, Chrome, and Firefox work closely with members of the CA/B Forum to ensure a more secure use of the Internet.
DigiCert is one CA that works very closely with Browser Services to improve on SSL technologies such as the creation of Extended Validation (EV) and Certificate Transparency.
Being at the frontline of SSL technologies, DigiCert certificates uses the most up-to-date encryption and passes all these to its users. Price is also highly competitive in the industry, easily making them one of the most affordable in high assurance and reliable digital certificates.
The Bottom Line
Self Signed certificates may be a free and immediate solution to encryption; however, implementing self-signed certificates is not sustainable in the long run and is bound to face problems eventually. When that happens, time will be spent troubleshooting, fixing and mitigating. Instead of letting that happen, it is better to adopt CA certificates right from the beginning.