Please feel free to explain your stance more, also I’m not an expert. But that seems like a potentially dangerous statement.
Certificates are a multifacted issue which cannot be covered by “Self signed certs are more secure”.
Even in an environment you are fully managing intermediate and leaflet certificates, you want the root issued by a public CA. Ideally an EV CA.
If the infrastructure is fully internal, there are still advantages to using an external CA (like for getting a root cert) unless you are able to securely generate, store, revoke, cycle, and manage the root certificates.
As for trusting certificate chains, again multifaceted, but they fix a lot more problems than they cause and increase security posture. Having one off pairs per service at any but the smallest scale is security nightmare fuel.
I didn’t say anything that disagrees with this. CAs are nice and convenient. They do this by expanding the chain of trust to a lot more people, hence making them less secure.
Sure if you can’t securely manage your cert, that’s a problem. But that doesn’t mean let’s less secure
Please feel free to explain your stance more, also I’m not an expert. But that seems like a potentially dangerous statement. Certificates are a multifacted issue which cannot be covered by “Self signed certs are more secure”. Even in an environment you are fully managing intermediate and leaflet certificates, you want the root issued by a public CA. Ideally an EV CA. If the infrastructure is fully internal, there are still advantages to using an external CA (like for getting a root cert) unless you are able to securely generate, store, revoke, cycle, and manage the root certificates. As for trusting certificate chains, again multifaceted, but they fix a lot more problems than they cause and increase security posture. Having one off pairs per service at any but the smallest scale is security nightmare fuel.
I didn’t say anything that disagrees with this. CAs are nice and convenient. They do this by expanding the chain of trust to a lot more people, hence making them less secure.
Sure if you can’t securely manage your cert, that’s a problem. But that doesn’t mean let’s less secure
I think it’s important to distinguish use case. Or make more qualified statements instead of saying self signed certs are always more secure.
Like, are we talking about a single certificate pair per service contained on your local isolated network? Sure probably then.
Otherwise, very likely not.