2. vCloud Cell Design Examples : 2.2 Secure Certificates : 2.2.3 Design Implications
2.2.3 Design Implications
*When using SSL certificates it is important to understand and evaluate what the different types of SSL certificates are available to you for your specific requirement.
*In a production environment, do not configure vCloud Director to use self-signed certificates. This is a poor security practice. Self-signed certificates are digitally signed by the private key that corresponds to the public key included in the certificate, instead of a CA signing the certificate. By self-signing a certificate, you attest that you are who you say you are. No trusted third party is involved to verify the identity of the system that owns the certificate.
*Self-signed certificates do not have a valid chain of signatures leading to a trusted root certificate. They provide a weaker form of security because, while you can verify such a certificate is internally consistent, anyone can create one, so by examining the certificate, you cannot know if it is safe to trust the issuer or the site the certificate is coming from. Nevertheless, self-signed certificates are common. For example, vCenter installations use a self-signed certificate by default.
*The server key store should be considered highly sensitive because a compromise of the server key allows impersonation of the server and/or access to the encrypted traffic. Java keystores provide a method of securely storing private keys and their associated certificates, protected by a password. vCloud Director supports only the JCEKS format for keystore files. (Other formats that Java supports include PKCS12 and JKS. JKS is less secure, so it is not recommended).