Free digital certificates for servers, applications and code
1 Comments
Many already know some commercial certificate authorities like Thawte (acquired by VeriSign in 2000) already offers free digital certificates.
What not everybody knows is these are client certificates only, which means cannot be installed in a web server for example.
If we are in need of a server digital certificate for lab environment or we plan to use it only inside your company, then we can create a self-signed one.
But if we need a worldwide trusted server certificate we'll have to pay for it.
Unless we turn to CAcert.
CAcert is a no-profit Certificate Authority based in New South Wales, Australia, and running since 2002 which issues client and server X.509 Class 3 digital certificates for free.
Client certificates are typically used for email encryption and/or authentication verification.
Lately they are also used for instant messaging encryption as well. And in the near future will probabily be the most used tool to secure VoIP communications.
Server certificates are instead used for securing and providing authentication verification from a vast range of servers, from web servers to mail servers, up to VPN gateways (where is much safer running a digital certificates peers recognition with IPSec instead of exchanging a secret).
CAcert certificates support all these use and can be used in mail servers to secure all three major protocols: POP3, SMTP and IMAP.
CAcert certs are also usable as so-called code signing certificates, allowing developers to provide identity verification for their installers, Java web applets or .NET framework executables.
Unfortunately (or fortunately) this kind of certificates are not immediately available like standard client and server certificates mentioned above, but requester have to enroll a special process to assure his identity.
The biggest issue with CAcert certificates is they are not recognized out-of-the-box: CAcert is not included among root certificate authorities in Internet Explorer, Firefox and Opera, so everybody interacting with these certs have to import the CAcert certificate inside their operating system.
This situation will eventually change in the future since more and more distributions are providing default support to CAcert.
Among existing ones today we have: CentOS, Debian, FreeBSD, Gentoo, Knoppix. Others will come.
Despite this limitation in many scenarios adopting a CAcert is still better than generating self-signed certificates: providing authentication for several tents or hundreds of servers for example would be unpracticable with self-signed certs, since all of them should be imported in clients.
Another less severe issue with these certificates is they don't contain any personal information immediately after release.
When a new free certificate is issued it contains the only information the certificate authority can easily verify: our email address for client certificates and domain name for server certificates.
If we want CAcert to certify our email address or our domain name are linked to a real person or company identity we have to prove that identity.
This is done involving human verification of real world documents.
Usually called Web of Trust (WoT) CAcert defines it Assurance Program, but the principle behind the process is identical:
some designed persons, assurers, around the world can verify our identity manually checking photo ID documents, and assign us a limited amount of points.
A requester is obliged to let serveral different assurers verify his identity, and he too is called to verify identity of other requesters to reach a certain score.
After reaching the required amount of points our certificate is enhanced and can contain more personal data, including for example company name and address.
Obtain a physical identity verification by assurers is not very easy (at the moment the program counts around 7,000 assurers worldwide) and could cost some money:
while CAcert doesn't charge for the service, sometimes Web of Trust members ask for a small amount of money, for their disturb (this also happens with Thawte).
Anyway it's not mandatory having full details in digital certificates to work with them, but once reached the assured status we overcome some other limitations:
CAcert is not the only free certification authority available on the net.
Startcom, Linux distributor based in Israel, has one existing since less than 2 years, but only issues Class 2 digital certificates.
What not everybody knows is these are client certificates only, which means cannot be installed in a web server for example.
If we are in need of a server digital certificate for lab environment or we plan to use it only inside your company, then we can create a self-signed one.
But if we need a worldwide trusted server certificate we'll have to pay for it.
Unless we turn to CAcert.
CAcert is a no-profit Certificate Authority based in New South Wales, Australia, and running since 2002 which issues client and server X.509 Class 3 digital certificates for free.
Client certificates are typically used for email encryption and/or authentication verification.
Lately they are also used for instant messaging encryption as well. And in the near future will probabily be the most used tool to secure VoIP communications.
Server certificates are instead used for securing and providing authentication verification from a vast range of servers, from web servers to mail servers, up to VPN gateways (where is much safer running a digital certificates peers recognition with IPSec instead of exchanging a secret).
CAcert certificates support all these use and can be used in mail servers to secure all three major protocols: POP3, SMTP and IMAP.
CAcert certs are also usable as so-called code signing certificates, allowing developers to provide identity verification for their installers, Java web applets or .NET framework executables.
Unfortunately (or fortunately) this kind of certificates are not immediately available like standard client and server certificates mentioned above, but requester have to enroll a special process to assure his identity.
The biggest issue with CAcert certificates is they are not recognized out-of-the-box: CAcert is not included among root certificate authorities in Internet Explorer, Firefox and Opera, so everybody interacting with these certs have to import the CAcert certificate inside their operating system.
This situation will eventually change in the future since more and more distributions are providing default support to CAcert.
Among existing ones today we have: CentOS, Debian, FreeBSD, Gentoo, Knoppix. Others will come.
Despite this limitation in many scenarios adopting a CAcert is still better than generating self-signed certificates: providing authentication for several tents or hundreds of servers for example would be unpracticable with self-signed certs, since all of them should be imported in clients.
Another less severe issue with these certificates is they don't contain any personal information immediately after release.
When a new free certificate is issued it contains the only information the certificate authority can easily verify: our email address for client certificates and domain name for server certificates.
If we want CAcert to certify our email address or our domain name are linked to a real person or company identity we have to prove that identity.
This is done involving human verification of real world documents.
Usually called Web of Trust (WoT) CAcert defines it Assurance Program, but the principle behind the process is identical:
some designed persons, assurers, around the world can verify our identity manually checking photo ID documents, and assign us a limited amount of points.
A requester is obliged to let serveral different assurers verify his identity, and he too is called to verify identity of other requesters to reach a certain score.
After reaching the required amount of points our certificate is enhanced and can contain more personal data, including for example company name and address.
Obtain a physical identity verification by assurers is not very easy (at the moment the program counts around 7,000 assurers worldwide) and could cost some money:
while CAcert doesn't charge for the service, sometimes Web of Trust members ask for a small amount of money, for their disturb (this also happens with Thawte).
Anyway it's not mandatory having full details in digital certificates to work with them, but once reached the assured status we overcome some other limitations:
- server certificates expire in 24 months instead of 6 (they are in any case renewable)
- client certificates can be used for code signing
CAcert is not the only free certification authority available on the net.
Startcom, Linux distributor based in Israel, has one existing since less than 2 years, but only issues Class 2 digital certificates.
Most Recent Articles
1 Comments:
-
Comodo offers a free SLL for 90 days for use of online markets for example.
"Free SSL Certificates provide full SSL functionality for 90 days and are issued using the same Trusted Root Certificate Authority (CA) that issues our end-entity SSL Certificates that provides 99.3% browser ubiquity, and NOT issued by a different test CA. This unique service helps you fully test your system prior to your live roll out."
http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html
They have other interesting products like browser independent website VerificationEngine http://www.vengine.com/ ... i do not think i saw it in symantec report.
They offer almost everything u need for computer security anti spy ware,firewalls,antivirus (well as nod32 user i do not think their AV is good, its just "to beta " still).
Would be good if someone as professional as this people who run this site, would look in to comodo products - some seem to be really promising (as outpost pro user, i would say their free firewall was almost ok).
Maybe this comment was a bit of out of topic - but hell, at least here is one now:)
I love Your site and reviews!
Margus
aka WaffaDrunker
Links to this article:
Stay up to date |
|