Why not SSL enable Apache with own CA?

52 views Asked by At

I purchased a domain name. I set up a website that is deployed on Apache, that is accessible at my domain, currently on http protocol "port 80". I now want to configure this Apache server for SSL. I'm evaluating the below 2 options.

Option #1: I create the "Certificate Signing Request" (CSR), then while acting as the CA, I create the certificate based on the CSR, I then configure Apache to be running on port 443, with the certificate I created.

Option #2: I create the CSR, I submit my CSR to a widely known CA like Symantec to get a certificate. I then configure Apache to be running on port 443, with the certificate provided by Symantec.

What are the downfalls to option #1?

From an end-user perspective "someone accessing my site", what indications would they have that I used option #1?

Is it correct to assume, with option #1, that I couldn't get end-users accessing my site to get a green bar menu?

1

There are 1 answers

4
Brody On BEST ANSWER

With option 1 the end user has no confidence they are not being spoofed. Because you are acting as your own CA the end user has to make a decision about whether to trust you. If they do - they may well be trusting someone who has intercepted your request and used their own certificate.

With option 2 the user is trusting the CA that provided your certificate and can be more confident that no man-in-the-middle attack is taking place.

For some purposes your own self-signed cert can be fine. Not for any real ecommerce though.