What do you think about securing an inter-application communication channels with an SSL-like solution? Or any solution that takes crypto certificate management procedures to be introduced? Well, yes, I also think it’s great even in fairly complex environments, provided it’s done right. And unfortunately, usually it isn’t.

Why? Because doing it right costs money and a lot of it. The amount seriously depends on the size of the infrastructure and its architecture. It’s also not all the same if we maintain the CA ourselves or we buy each and every certificate from some external CA.

To be sure our communication channels are secured we need to properly manage our certificates' lifecycle — we need to generate them or buy when we need to set up a new secured link, we need to make sure private keys are stored securely and if we suspect their security might have been compromised, we need to revoke them from usage and regenerate new ones. And finally, once the expiration date comes, we need to renew them — the never-ending, or close, validity period should be considered insecure by its very nature.

Often it’s crucial that we manage to renew the certificate before its validity period finishes, else the so-very-important-business-process gets stuck and we’re sooo gonna get it. And that’s precisely why the expensive certificate and keys management procedures, underlying management software and staff that knows how to operate it are pretty useful to have.

Needless to say, the in-house CA adds a lot of trouble and effort to the already not that great situation. And since trouble and effort equals money, the best way to go is as usual up to the cost/benefit analysis. And, as usual, it may prove worthwhile to actually check if the links really need crypto protection, which in turn is up to the risk analysis.

And just for the record, passwords are so much worse of an option and so much more trouble that I decided to not even mention it… oh, damnit…