What is the alternative option of self-signed certificates in production for internal systems authentication

Question

I Want to authenticate systems deployed on different servers with each others using certificates. If it wasn't a self-signed certificate, what should it be to let each system has its own certificate and trust in in the other server in the production environment?

The signed certificates are paid and I don't think I need them since I don't have user interaction. Am I right?

Answer 1

The distinction here is not really "self-signed" vs "signed." The correct distinction is "commercial" vs. "internal." Commercial certificate vendors are selling you exactly one thing: they have a certificate in the root store of major browsers and operating systems. There is no technical difference between a certificate that Verisign signs and one that you sign. Verisign just has a signing certificate in this list and you don't.

So you're correct. For internal authentication, there is no security reason to favor commercial certificates. You still have to protect your private key just as carefully. Commercial certificates offer convenience, not security. You pay them some money, and you don't have to worry about some of the configuration.

But you can trade convenience for money. There are two ways to do that: internal roots and certificate pinning. With an internal root, you just create some signing root certificate (a "Certificate Authority") and put it in the trusted root stores of your servers. Then issue CSRs (certificate signing requests) to yourself, sign them, and apply those to your services.

Certificate pinning just skips the Certificate Authority step. Just take all of your service certificates, and put them directly into the trusted root stores of your servers. Then there's no indirection.

Each way has its advantages. I tend to prefer pinning all other things being equal because it ties me to specific certs rather than chains. But either way is really fine.

The specifics of course are going to be highly dependent on your toolchain, which you didn't list, but your question suggests you already know how to create the certs.

Just remember that your security is going to be dependent on protecting your private keys. But that was true with commercial certificates, too.

Answer 2

You didn't say what platform you are using, but for Windows I would recommend Active Directory Certificate Services: https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx