Is it a good idea to use cacert SSL certificates instead of self signed one in production?

Question

At work, I have a bunch of web interfaces that use plain http or self signed certificates (load balancer management interface, internal wiki, cacti, ...).

None is reachable from outside specific vlans/networks.

For home usage, I use cacert SSL certificates.

I was wondering if I should suggest my employer to use cacert SSL certificates instead of self signed certificates and plain http. Anyone use cacert ssl in production? What are the pro/cons? Does it improve security? Is it easier to manage? Anything unexpected? Can it affect qualys scans? How can I convince them?

Of course, paid certificates for public websites would remain unchanged.

Edit :

(just curious) Free ssl certificate from companies do not seem to be class 3. I had to show my passport and be present physically to get class 3 from cacerts. Isn't there warning in browsers for each class 1?

Anyway, I would have the same question about any free CA : Is it better than using self signed and plain http, and why ?

I would do it for ease of management, server side. Anything I missed?

Disclaimer : I'm not a cacert association member , not even Assurer, just a regular happy user.

Answer 1

I would suggest free SSL Certificates from StartSSL, which are recognized by modern browsers too. I've got nothing against CACert except that it doesn't take anything but an account to issue certificates, and those certs are not recognized by anyone unless you manually install the root cert.

_{Obligatory disclaimer as this is a product recommendation: I'm not affiliated with StartSSL in any way. Just a happy customer.}

Answer 2

Is it better than using self signed and plain http, and why ?

Self-signed certificates will train your users (and YOU) to click through warnings habitually, which is a bad habit. What if that Self-signed certificate was replaced with a rogue certificate? Would your users notice, or would they blindly click through yet-another-security-dialog?

Answer 3

I would advise that while there's nothing wrong with using free certs, like from CACert, you probably won't gain anything from doing so either.

Since they're not default trusted by anything, you'll still need to install/deploy the root certificate to all your clients, which is the same situation you'd be in with self-signed certs or certs issued by an internal CA.

The solution I prefer (and use) is an internal Certificate Authority and a mass deployment of its root certificate to all domain machines. Having control over the certificate authority you use makes certificate management a lot easier than even through a portal site. With your own CA, you can generally script up a certificate request and corresponding certificate issue so that all your servers, sites, and anything needing a certificate can get it automatically and be trusted by your clients almost immediately after being put into your environment, with no effort or manual tasks by IT.

Of course, if you not up to the task of setting up and automating your own CA, then using an external free one like the one you mentioned could make your life a little easier, only having to deploy one external root certificate... but you should probably try to do it right the first time, and set up an internal CA for your domain.