Grid-signed vs. CA-signed Certificates

The default behavior of the grid is that grid server and client certificates are signed with the grid root key. In the case of grid SSL server certificates, it is also possible to have them signed by an external CA.

The benefit of having a CA-signed certificate is that clients automatically trust the issuer of the certificate if the CA is one that the clients already trust. This is the case for public Certificate Authorities (such as VeriSign, EnTrust, Thawte, and so on).

In many organizations, it is easy to get the grid root certificate trusted by the browsers of their own organization. It might be trickier when accessing using different handheld devices or for uncontrolled devices (for example, external users).

The decision to use grid-signed or CA-signed certificates depend on the use of grid and the applications that run in the grid.

Note that a multi-host grid may have CA-signed SSL certificates on some hosts and grid-signed SSL certificates on others, depending on what each host/router is used for.

When to Use Grid-signed SSL Certificates

Grid-signed certificates are suitable in certain scenarios, for example, test installations or installations that only have managed clients where it is easy to ensure that all clients automatically trust the grid root certificate.

When to Use CA-signed SSL Certificates

It is recommended to use CA-signed SSL certificates in any scenario where it is impossible or simply too much work to get connecting clients to trust the issuing certificate. Scenarios can be:

  • When using a grid installation running in the cloud.

  • Internet-facing routers (not recommended), or routers that external users can connect to using unmanaged devices (for example using VPN connections).