开发者

Self-signed certificates performance in WCF scenarios

I read that self-signed certificates suffer from performance issues (for example, here) but which ones exactly? I can guess this can be related to revocation checks or some开发者_JAVA百科thing but not sure.


I disagree with the article about "performance problems" in using of certificates created by MakeCert.exe.

If no revocation information will be included in the created certificate then no performance loss can be because of revocation. Probably the only thing which is specific for using of self-signed certificate is following: you should include the self-signing certificate in the Root certificates store (Trusted Root Certification Authorities) or more better in the AuthRoot certificates store (Third-Party Root Certificate Authorities) on all computers which will use it. After this your self-signing certificate will be not more worth as VeriSign root certificate in the most scenarios. Of cause this way is possible only inside of one company and can be difficult used in the enterprise scenarios with a lot of independent client computers.

By the way it is possible to create a simple PKI with respect of MakeCert.exe utility. For example you can create the self-sign root certificate of your mini CA:

MakeCert.exe -pe -ss MY -a sha1 -cy authority -len 4096 -e 12/31/2020 -r 
             -n "CN=My Company Root Authority,O=My Company,C=DE" MyCompany.cer

then you can create an additional child certificate

MakeCert.exe -pe -ss MY -a sha1 -len 2048 -e 12/31/2020 -eku 1.3.6.1.5.5.7.3.2
             -n "CN=My Name,O=My Company" -sky exchange
             -is MY -in "My Company Root Authority"

You can choose different enhanced key usage OIDs in the eku switch depends from the scenarios in which you want use the certificate.

To add the root certificate of your mini CA in the AuthRoot certificate store (Third-Party Root Certificate Authorities) we can use for example CertMgr.exe utility

CertMgr.exe -add -c MyCompany.cer -s -r localMachine AuthRoot

You can also create and use Certificate Revocation List File if it needed for your scenario.

See How to: Create Temporary Certificates for Use During Development and other How to Articles for more examples.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜