Self signed certificate for machine to machine https connection

Question

I need to set up https communication between a Tomcat application server and a back end system. The web server hosts a public website, so is in a DMZ.

My question is if there any advantage in using official CA certificates, over using self signed certificates in this situation (machine to machine communication)?

I keep hearing self signed certificates should not be used on production systems, but I'm not sure I understand why (for machine to machine communication).

Answer 1

The risk lies in how effective the defenses protecting the hosts in question are, including the network connection between them. Given that weaknesses and exploits are being found all the time, it is reasonable to say there could be issues with self-signed certificates used in a production environment - which includes hosts in a DMZ.

Here's the reason: man-in-the-middle. In short, if either host - or the network between them - becomes compromised, then the traffic between them will still be encrypted, but because the certificate is self-signed, a man-in-the-middle (aka "MITM") would be able to introduce a transparent proxy using a self-signed cert, which will be trusted by both sides.

If instead your hosts use a public CA, then the MITM approach cannot work.

If the annual $15-50 investment per host is more costly than the information on and between them - including what could be on them (e.g., compromised, serving malware), then the choice is simple: don't worry about buying certs. Otherwise, it's important to look into them.

The comment by Adam Hupp on this webpage provides a good, simple scenario:

http://www.vedetta.com/self-signed-ssl-certificates-vs-commercial-ssl-certificates-how-mozilla-is-killing-self-signed-certificates

And here's a more fleshed out description of the risk: http://blog.ivanristic.com/2008/07/vast-numbers-of.html

And finally a balanced look at the two scenarios, though this article only considers self-signed OK when there is a fully-functional, properly protected and implemented Certificate Authority server installed: http://www.networkworld.com/news/tech/2012/021512-ssl-certificates-256189.html

Answer 2

I see no advantage in using official certificates for this task - besides the fact that your marketing dept. could claim your infrastructure is "100% certified by $CA". Encryption algorithm/strength and cert duration can be the same, depending on how you configure it.

The recommendations you hear probably focus on the far more common usage of HTTPS for communication with browsers, which nowadays complain about self signed certs. For data transfer between servers, I think it's good practice to encrypt traffic the way you plan on doing it!