Cacert.org
https://cacert.org
- is open and follows the typical open community approach
- inclusion is small, almost no modern browser trust them ( it's really self-Sign imho )
- issues certificate at 6month intervals
- has one of the easiest of domain_validation based on ICANN or whois data
- does not use any on host software or applications for management issue or revocation
- very good CA if you don't care for established trust-anchor and are testing SSL/TLS certificate
- cares less about FQDN being real ( you can issue a certificate for a FQDN that is not alive or even exists )
- does scrutinize the CSR details
- requires domain validation
https://letsencrypt.org/
- much more advance
- requires more work and dependencies to get it up ( e.g ACME ) but the end it is worth it!
- issued at 90days expirations
- requires a FQDN to be set in "place" and correct
- inclusion list is strong, heck way stronger than cacert ( trusted by quite a few browsers to be specific )
- is trusted and trust worthy in the big web CA chain
- scrutinize CSR details to be correct
- requires domain validation ( you might be able to issued on internal only ( aka "dot" local )
Let'sEncrypt If your cheap, on a budget , testing a development site, and need a short stroke issued certificate. This is hands down what you should use.
If you need a internal CA for let's say a "enterprise" org ,and have no CA built, have no budgte, have no understanding of CA design, than hands down the cacert.org is ideal for in these cases.
Knowing and understanding the differences between these two free CAs , and where one is best suited is a must.
kfelix @ socpuppets.com
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment