Public certificates versus private certificates
You can use certificates from a public CA or you can create and operate a private CA to issue certificates. How you choose to obtain your certificates depends on how you plan to use them.
- Purchasing your certificates from a public Internet Certificate Authority (CA).
- Operating your own local CA to issue private certificates for your users and applications.
- Using a combination of certificates from public Internet CAs and your own local CA.
Which of these implementation choices you make depends on a number of factors, one of the most important being the environment in which the certificates are used. Here's some information to help you better determine which implementation choice is right for your business and security needs.
Using public certificates
Public Internet CAs issue certificates to anyone who pays the necessary fee. However, an Internet CA still requires some proof of identity before it issues a certificate. This level of proof varies, though, depending on the identification policy of the CA. You need to evaluate whether the stringency of the identification policy of the CA suits your security needs before deciding to obtain certificates from the CA or to trust the certificates that it issues. As Public Key Infrastructure for X.509 (PKIX) standards have evolved, some public CAs now provide much more stringent identification standards for issuing certificates. While the process for obtaining certificates from such PKIX CAs is more involved, the certificates the CA issues provide better assurance for securing access to applications by specific users. Digital Certificate Manager (DCM) allows you to use and manage certificates from PKIX CAs that use these new certificate standards.
You must also consider the cost associated with using a public CA to issue certificates. If you need certificates for a limited number of server or client applications and users, cost may not be an important factor for you. However, cost can be particularly important if you have a large number of private users that need public certificates for client authentication. In this case, you need to also consider the administrative and programming effort needed to configure server applications to accept only a specific subset of certificates that a public CA issues.
Using certificates from a public CA may save you time and resources because many server, client, and user applications are configured to recognize most of the well-known public CAs. Also, other companies and users may recognize and trust certificates that a well-known public CA issues more than those that your private local CA issues.
Using private certificates
If you create your own local CA, you can issue certificates to systems and users within a more limited scope, such as within your company or organization. Creating and maintaining your own local CA allows you to issue certificates only to those users who are trusted members of your group. This provides better security because you can control who has certificates, and therefore who has access to your resources, more stringently. A potential disadvantage of maintaining your own local CA is the amount of time and resources that you must invest. However, Digital Certificate Manager (DCM) makes this process easier for you.
When you use a local CA to issue certificates to users for client authentication, you need to decide where you want to store the user certificates. When users obtain their certificates from the local CA through DCM their certificates are stored with a user profile by default. However, you can configure DCM to work with Enterprise Identity Mapping (EIM) so that their certificates are stored in a Lightweight Directory Access Protocol (LDAP) location instead. If you prefer not to have user certificates associated or stored with a user profile in any manner, you can use APIs to programmatically issue certificates to users other than IBM® i users.
You may find it helpful to review some common certificate usage scenarios to help you choose whether using public or private certificates best suits your business and security needs.
- Creating and operating a private CA describes the tasks that you must perform if you choose to operate a local CA to issue private certificates.
- Managing certificates from a public Internet CA describes the tasks that you must perform to use certificates from a well-known public CA, including a PKIX CA.
- Using a local CA on other IBM i models describes the tasks that you must perform if you want to use certificates from a private local CA on more than one system.