Reputation: 303
Self signed certificate VS CA certificate for REST APIs over https
Let's say we have a server only running REST API services, only on HTTPS. The only consumer of the APIs is a mobile app. Do we need certificate from CA or a self signed certificate is enough?
Upvotes: 3
Views: 1918
Answers (2)
Reputation: 176372
You will need to use a CA certificate. Otherwise, each mobile client will have to manually set your certificate as trusted.
You can potentially embed the certificate as trusted in the mobile app itself (assuming you distribute the app), however it will be a problem when the time comes to renew the certificate, or rekey/replace the certificate for whatever issue.
Using a globally trusted certificate is the way to go.
Upvotes: 5
Reputation: 4826
You can :
- Keep a self-signed certificate, but then you have to pin the certificate, and you can't revoke it if the private key is compromised.
- Use a home made certificate authorities, but then you have to pin the certificate, and manage the revocation process (maintain an OCSP or CRL).
- Use a certificate from a trusted CA, revocation will be checked for you, and if you want additional security, you still can pin the certificate.
In my opinion, the use of a trusted CA is more secure and more simple.
Upvotes: 4
Related Questions
- Self signed certificate or CA certificate for IoT device
- Self -Signed certificate vs CA
- Self-signing certs for https
- Can I use a self signed cert if I'm only using my https as a REST endpoint?
- Understanding SSL: Self-signed vs Certified
- Android SSL HTTP Request using self signed cert and CA
- What are the pros and cons using a self signed root ca for securing a rest service?
- Self-signed SSL vs Diffie-Hellman exchange for mobile app?
- Android - validating self-signed certificates in addition to normal SSL certificates
- Using a self signed certificate with my app