On Mon, 24 Aug 2009, aurfalien@gmail.com wrote:
I would go buy a cert.
They aren't much money and you can specify the granularity you want the cert to have, the more granularity, the higher the cost but they are not that much anyways.
The difficulty with purchased certificates is timely revocation, since, as you note,
After all, 75% of breaches occur form within. You can take that how ever you want but the days of a soft nougatine LAN are over.
An in-house Certificate Authority can revoke, say, a locally issued OpenVPN certificate very quickly. If HR calls you aside for a quick and quiet meeting to halt all network access for Jane Employee, having the ability to revoke her certificate(s) by the time she's ushered from the building is nearly essential.
The same thing is true if a user's laptop is stolen. An employee called me early one Sunday morning to let me know that someone had broken into his house and stolen, among other things, his laptop. He had things encrypted, but it was still very reassuring to everyone that I was able to revoke his VPN cert within a few minutes.