Commercial cert vs. Microsoft Certificate Services generated cert

Giganews Newsgroups
Subject: Commercial cert vs. Microsoft Certificate Services generated cert
Posted by:  Luckypolo (Luckypo…
Date: Thu, 21 Jun 2007

Hi all,

I am completely new to the certificate issues, so I guess my question is
kind of basic one. I was searching in the Web but now I have kind of mess of
information in my head ;) and I would like to make some order...

We are making a Web application which receives and sends some XML. We want
to make it working through the HTTPS. There will be more than one
installations of this application. We need to get a certificate for each of
those installations (as it is generated for a given DNS name), right?

I guess this is important to ensure that the client applications (not the
Web browser, just a dedicated application) will trust to the certificate used
by our application. So, as far as I read about it, there are two
possibilities to get such a certificate:

1. Order the certificate (for each DNS name) in a commercial world-wide
trusted certification agency.
2. Install and maintain Microsoft Certificate Services and produce our own
certificates (so it is making our own CA).

As far as I understand, if we choose to use Microsoft Certificate Services
and we want the client applications to trust to our certificate, we should
sign our certificates with the certificate which is signed by a world-wide
trusted CA. It means first we need to order one commercial certificate for
signing the certificates generated by our local CA. Is that correct?

Then the client applications will also trust to our certificate - and this
will be because there is a “certificate path” to the trusted root certificate.
Is this certificate path included in the certificate itself? Is there any
performance issue connected to checking a certification path?

As we are responsible for all the installations of our application, the only
access to the Microsoft Certificate Services will be from inside of our
company. However, the certificates generated by the Microsoft Certificate
Services must be trusted by the client applications from outside of the

Ok. Does it sound reasonable at all or I am missing the point?
What are the advantages/disadvantages of the points 1. and 2.?

I will be very thankful for answers.