19.10. Best Practices

• Implement Web Server certificates from a private CA if the Web server is an intranet server. An intranet server is accessed only by computers and users within your organization. It is possible to deploy the trusted root certificate to an organization’s computers through enterprise policy, Group Policy, or CAPICOM scripts.

• Implement Web Server certificates from a commercial CA when:

  • The Web server is on the Internet or on an extranet. If the Web server is accessed by non-organization–managed computers or users, you increase trust in your Web site by deploying a Web Server certificate from a commercial CA.

  • The Web server is selling goods or services on the Internet. A commercial CA certificate can provide liability insurance for e-commerce transactions on the Web server.

• Enable SSL for only those Web sites that require enhanced security. There is extra performance overhead involved in connecting to a Web server implementing SSL. Implement SSL only in cases where you must prove the Web server’s identity or provide encryption to data transmitted between the Web server and the Web client.

• Ensure that all Web clients trust the root CA certificate of the Web Server’s certificate chain. If the Web Server certificate chains to a nontrusted root CA, users are warned that the certificate is not trusted, which can prevent them from connecting to the Web site.

• Ensure that the Web Server certificate’s subject matches the Web server’s DNS name. If the subject name does not match the Web site’s DNS name, the user is warned.