Public certificates versus private certificates

You can use certificates from a public CA or you can create and operate a private CA to issue certificates. How you choose to obtain your certificates depends on how you plan to use them.

Once you decide on the type of CA to issue the certificates, you need to choose the type of certificate implementation that best suits your security needs. The choices that you have for obtaining your certificates include:
  • Purchasing your certificates from a public Internet Certificate Authority (CA).
  • Operating your own local CA to issue private certificates for your users and applications.
  • Using a combination of certificates from public Internet CAs and your own local CA.

Which of these implementation choices you make depends on a number of factors, one of the most important being the environment in which the certificates are used. Here's some information to help you better determine which implementation choice is right for your business and security needs.

Using public certificates

Public Internet CAs issue certificates to anyone who pays the necessary fee. However, an Internet CA still requires some proof of identity before it issues a certificate. This level of proof varies, though, depending on the identification policy of the CA. You need to evaluate whether the stringency of the identification policy of the CA suits your security needs before deciding to obtain certificates from the CA or to trust the certificates that it issues. As Public Key Infrastructure for X.509 (PKIX) standards have evolved, some public CAs now provide much more stringent identification standards for issuing certificates. While the process for obtaining certificates from such PKIX CAs is more involved, the certificates the CA issues provide better assurance for securing access to applications by specific users. Digital Certificate Manager (DCM) allows you to use and manage certificates from PKIX CAs that use these new certificate standards.

You must also consider the cost associated with using a public CA to issue certificates. If you need certificates for a limited number of server or client applications and users, cost may not be an important factor for you. However, cost can be particularly important if you have a large number of private users that need public certificates for client authentication. In this case, you need to also consider the administrative and programming effort needed to configure server applications to accept only a specific subset of certificates that a public CA issues.

Using certificates from a public CA may save you time and resources because many server, client, and user applications are configured to recognize most of the well-known public CAs. Also, other companies and users may recognize and trust certificates that a well-known public CA issues more than those that your private local CA issues.

Using private certificates

If you create your own local CA, you can issue certificates to systems and users within a more limited scope, such as within your company or organization. Creating and maintaining your own local CA allows you to issue certificates only to those users who are trusted members of your group. This provides better security because you can control who has certificates, and therefore who has access to your resources, more stringently. A potential disadvantage of maintaining your own local CA is the amount of time and resources that you must invest. However, Digital Certificate Manager (DCM) makes this process easier for you.

When you use a local CA to issue certificates to users for client authentication, you need to decide where you want to store the user certificates. When users obtain their certificates from the local CA through DCM their certificates are stored with a user profile by default. However, you can configure DCM to work with Enterprise Identity Mapping (EIM) so that their certificates are stored in a Lightweight Directory Access Protocol (LDAP) location instead. If you prefer not to have user certificates associated or stored with a user profile in any manner, you can use APIs to programmatically issue certificates to users other than IBM® i users.

Note: No matter which CA you use to issue your certificates, the system administrator controls which CAs will be trusted by applications on his system. If a copy of a certificate for a well-known CA can be found in your browser, your browser can be set to trust server certificates that were issued by that CA. Administrators set trust for CA certificates in the appropriate DCM certificate store, which contains copies of most well-known public CA certificates. However, if a CA certificate is not in your certificate store, your server cannot trust user or client certificates that were issued by that CA until you obtain and import a copy of the CA certificate. The CA certificate must be in the correct file format and you must add that certificate to your DCM certificate store.

You may find it helpful to review some common certificate usage scenarios to help you choose whether using public or private certificates best suits your business and security needs.

Related tasks

After you decide how you want to use certificates and which type to use, review these procedures to learn more about how to use Digital Certificate Manager to put your plan into action:
  • Creating and operating a private CA describes the tasks that you must perform if you choose to operate a local CA to issue private certificates.
  • Managing certificates from a public Internet CA describes the tasks that you must perform to use certificates from a well-known public CA, including a PKIX CA.
  • Using a local CA on other IBM i models describes the tasks that you must perform if you want to use certificates from a private local CA on more than one system.