Grid-signed vs. CA-signed certificates
The default behavior of the Grid is that HTTPS and client certificates are signed with the Grid root key. In the case of Grid HTTPS server certificates, used in HTTPS identities, it is also possible to have them signed by an external CA (Certificate Authority).
The benefit of having a CA-signed certificate is that clients automatically trust the issuer of the certificate if the CA is one that the clients already trust. This is the case for public Certificate Authorities (such as VeriSign, DigiCert, Thawte, and so on).
In many organizations, it is easy to get the Grid root certificate trusted by the browsers of their own organization. It might be trickier when accessing using different handheld devices or for uncontrolled devices (e.g. external users).
The decision to use grid-signed or CA-signed certificates depends on the use of the Grid and the applications that run in the Grid.
With the use of HTTPS identities, it is possible to have CA-signed HTTPS certificates on some routers and grid-signed HTTPS certificates on others, depending on what each router is used for.
When to use Grid-signed HTTPS certificates
Grid-signed certificates are suitable in certain scenarios, for example, test installations or installations that only have managed clients where it is easy to ensure that all clients automatically trust the grid root certificate.
When to use CA-signed HTTPS certificates
We recommend that you use CA-signed HTTPS certificates in any scenario where it is impossible or difficult to get connecting clients to trust the issuing certificate. Scenarios can be:
-
When using a grid installation running in the cloud.
-
Internet-facing routers (not recommended), or routers that external users can connect to using unmanaged devices (for example using VPN connections).