An internal certificate authority is an organization that generates its own digital certificates instead of paying a certificate authority (CA) to create them. Digital certificates and CAs are crucial components of public key infrastructure (PKI). Organizations typically buy transport layer security (TLS) or secure sockets layer (SSL) certificates from CAs to improve security on their websites and to build trust with site visitors and customers.
Digital certificates provide third-party endorsement from a reputable organization for the legitimate identity of websites. You can think of them as digital passports.
For example, when you visit a website that uses SSL, that certificate tells you that the website is who it says it is and that any communication between you and that website will be encrypted. This is true for both publicly accessible websites and for private web servers and virtual private networks (VPNs) that only the people belonging to a certain organization can access.
Pros and cons of internal certificate authority
An organization may choose to issue its own digital certificates for a number of reasons, but it’s important to weigh the pros and cons when deciding whether or not to do so.
The most frequently cited advantage of issuing your own certificates is cost savings. A digital certificate from a reputable CA can cost upwards of $400 per year. Organizations that effectively become their own CA should only do so if they can save money by doing it. Some people mistakenly believe that issuing your own digital certificates is free, but this isn’t necessarily true.
Issuing your own digital certificates requires your own server, storage space, and IT resources. Unless you intend to develop your own certificate-issuing software, you may also have to pay for a certificate-generating software system, though some open source options exist.
Some organizations may choose to issue their own digital certificates in the interest of tighter security. Certificate authorities are logical targets for hackers, and in the wake of the 2011 DigiNotar cyber attack, some organizations felt uneasy about the security of CAs. However, most CAs today follow rigorous security protocols that make unauthorized access very difficult.
While no organization is completely impervious to being hacked, purchasing digital certificates from a reputable CA may be more secure than issuing them yourself. Unless you have the appropriate IT staff and physical protections in place at your organization, a determined hacker could breach your system and issue fake digital certificates for a man-in-the-middle attack.