Self-Signed SSL Certs in "internal" Production (not publicly exposed)

[omar.a...@gmail.com]

Hi,

Provided a Rabbit cluster is used only internally (LAN) and NOT exposed to the public, are there any dangers or downsides of using self-signed certs in a production environment?

Rabbit's SSL docs page: warns against self-signed certs for (most) production environments:

Note that tls-gen and the certificate/key pairs it generates are self-signed and only suitable for development and test environments. The vast majority of production environments should use certificates and keys issued by a well known commercial CA.

Thanks!

[Michael Klishin]

If you have a security team, ask them.

It can be reasonable to use self-signed certificates in production, in fact,

some multi-node systems — Chef server and Chef clients is one random example —

generate and use self-signed certificates per installation by default.

Self-signed certificates are also not unheard of in peer-to-peer systems.

Primary downside of self-signed certificates that I see (I'm by no means a security expert) is that

you will have to manage trusted CA certificates, whereas with a well-known commercial CA

their certificates might already be bundled with your OS or easy to install as an optional package

(with apt, yum, etc). That introduces operational overhead and security risks.

If I was deciding whether that is worth doing, I'd ask my team about what features

of TLS we are after: encryption? authentication? integrity? A certain combination of those?

How sensitive is the data that will be transferred over this installation? Do we have any in house

experience with self-signed certificate management? And so on.

But I certainly see that self-signed CA certificates can be worth using in production in some cases.

It's just our docs try to recommend a safer side.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[omar.a...@gmail.com]

Thank you so much Michael !

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.