Question 379 - SY0-601 discussion

A certificate issued by an internal CA is not trusted by default by external users or applications. Therefore, when a user tries to reach the application that uses an internal CA

certificate, they will receive a warning message that their connection is not private1. The best way to fix this issue is to use a certificate signed by a well-known public CA that is trusted by most browsers

and operating systems1. To do this, the security administrator needs to send a certificate signing request (CSR) to a public CA and install the signed certificate on the application’s server2. The other

options are not recommended or feasible. Ignoring the warning and continuing to use the application normally is insecure and exposes the user to potential man-in-the-middle

attacks3. Installing the certificate on each endpoint that needs to use the application is impractical

and cumbersome, especially if there are many users or devices involved3. Sending the new

certificate to the users to install on their browsers is also inconvenient and may not work for some

browsers or devices3.

Reference: 1: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-selfsigned-certificate 2:

https://learn.microsoft.com/en-us/azure/application-gateway/mutualauthentication-certificate-management 3:

https://serverfault.com/questions/1106443/should-i-use-a-public-or-a-internal-ca-for-client-certificate-mtls