Public Key Infrastructures (PKI) are widely used by organizations because they secure communications among servers and clients with digital certificates and certificate authorities (CA). Certificates are a combination of cryptographic keys which encrypt user information stored within them.
For certificates to be valid, they need to be signed by the certificate authority. Organizations can use pre-built external CAs, which are trusted by the public, or set up their own internal CA, which gives admins full control over implementation and certificate management.
Choosing which CA is right for your organization is challenging because there’s much to consider. We break down the difference between internal and external CAs and which would be a better fit.
Choosing an Internal CA
Internal, or private CAs, is a certificate authority that is designed for internal use, issuing and managing certificates within a network, rather than open to the public. Internal CAs are commonly used for device authentication for Wi-Fi and VPN. Internal CAs tend to be used in more secure applications than external CAs because the trust relationships can be tightly controlled by a single organization., However, that also means they’re harder to trust than a publicly available CA, and can’t be used for generic applications such as Email and Web SSL.
Pros of Internal CAs
The biggest draw for internal CAs is that admins can customize and configure them to fit perfectly into their environments. With internal CAs, admins can create their own certificates instead of buying them from a public CA, which can be expensive as many organizations deal with hundreds of thousands of certificates. With an internal CA, organizations don’t have to pay for every SSL certificate used.
If you have a Microsoft environment, internal CAs can integrate with Active Directory (AD), which has its own certificate management method, such as Active Directory Certificate Services (AD CS). This is an incredibly appealing option for Windows environments because they can provision certificates configured with group policies.
Security standards are better with internal CAs not because they’re inherently more secure than external CAs, but because there are less opportunities for outside threats to infiltrate the network. If an external CA is compromised, that could affect every organization that buys third-party certificates.
Cons of Internal CAs
The fact that the admin has full control over how to configure an internal CA is both a blessing and a curse. If you know what you’re doing and what you need, it’s relatively easy to set up an internal CA. However, if you’re not a PKI expert, it can be more difficult than using an external CA. No one is going to hold your hand during the configuration process, and it could take weeks or even months to fully configure an internal CA, unless you used a Managed PKI solution.
Running an internal CA is a much bigger financial commitment, so internal CAs were historically used by large companies that employee thousands of people. However, with the advent of Cloud Managed PKIs, the cost of an Internal CA has come down to just a few dollars a device. Want to know how much you could save with a Cloud Managed PKI? Click here to see our pricing.
Choosing an External CA
An external CA is a publicly-trusted CA that issues certificates to organizations for a fee. Any CA that you use that is not associated with your company is an external CA. External CAs are often used because they’ve established trust with the public at large, though they come with some downsides.
Pros of External CAs
One of the biggest advantages of external CAs over internal CAs is how much easier they are to implement and manage. Certificates issued by external CAs are much simpler to deal with because they are already validated by most web servers and clients. Admins are relieved from the extra step of getting the majority of the public to trust their certificates.
The onus of setting up a PKI and updating systems is taken away from the IT department. Public CAs work around the clock to make sure their roots are configured for the latest browsers and applications, so their certificates are immediately trusted. That’s work handled by the external CA management team, not the network admins.
External CAs are perfect for small-to-medium businesses that only need a handful of certificates. It’s much easier and cheaper to pay as you go rather than setting up a PKI and creating certificates on your own. But if you’re a large organization with thousands of employees and clients, an Internal CA might be your best bet.
Cons of External CAs
The trade off of an external CA being easier to implement than an internal CA is that external CAs are less flexible in terms of certificate issuance and management. Integration between an external CA and your infrastructure is much more limited than configuring your own internal CA.
External CAs are less scalable than internal CAs. With an external CA, you will have to purchase each certificate individually, which again isn’t much of a problem if you only need a few certificates for specific purposes. However, if you are a large company or your organization grows faster than you anticipated, suddenly you’re spending a lot of money on thousands of certificates.
Complete CA Capabilities with Managed Internal CA
SecureW2’s PKI provides the best of both worlds with a Managed Internal CA that admins can customize to fit their environment and without the heavy burden of implementing and configuring it yourself.
You can skip the coding and hassle by using SecureW2’s advanced PKI. Our state of the art management tool allows you to benefit from having a private CA without the associated inconveniences that come with them.
You can create a private internal CA in minutes and with SecureW2’s system you can manage and customize your CA ensuring all your security needs are met. It comes with a turnkey suite of Certificate Authority management features so you can customize certificate expiration based on a user’s status, and ensure no certificate expires with our awesome notification features.
SecureW2 also allows you to integrate any SAML/LDAP Identity Provider with your internal CA, which makes it really simple to issue certificates. Create robust policies and issue custom certificate templates based on user groups that already exist in your directory. Our CloudRADIUS solution, an improvement upon the RADIUS protocol, can perform Identity Lookup with Identity Providers, providing another security measure in those critical moments before you know you need to revoke a certificate.
A managed internal CA is necessary for some organizations, but it can be difficult to set up and maintain. SecureW2 offers a full complement of PKI services, including private CA custom-tailored to your needs. We have affordable options for organizations of any size.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Sam Metzler. Read the original post at: https://www.securew2.com/blog/internal-vs-external-cas