> If the system is only for testing, or communicates with a limited number of > systems (i.e., > it is a firewalled backend system that only communicates with a front-end > system), then again, > a self-signed certificate would be fine.
+1 > If his organization already uses PKI certificates, then he should follow the > rules > established in his organization's Certificate Practice Statement, if it has > issued > one. > > I do agree that if this is a public facing system, or one in an organization > with a large > number of users that does not have its own CA infrastructure, then a > commercial certificate > would be the best choice. Commercial certificate authorities are actively targeted by hackers, and when they are broken into, the trust each os has configured of such certificates can cause issues. The recent google ssl certificate issue shows what happens when things go wrong. If users will access the site via a browser, then the browser warning will confuse them/make them used to ignoring security warnings. For applications communicating with each other, a self signed certificate will actually be more secure than a certificate authority issued certificate - assuming you trust your internal security more than you trust that of a commercial certificate authority. It all depends on what the certificate will be used for. Chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
