On 11/25/05, Mark Wass <mark dot wass at market dash analyst dot com> wrote:
> Thanks for the reply.
> I thought when you use HTTPS that it made use of encryption, why would I
> use a SSL cert if I'm using HTTPS?
There is always a SSL cert when using HTTPS (it's what makes the
encryption possible). Defining a custom cert, for one example, can
allow you to put in a certificate signed by a enterprise CA that your
machines trust already. This would be to avoid the annoying "is this
certificate ok" prompts from web browsers, and it makes it much easier
to detect MITM attacks against SSL from the likes of sslmitm, et. al.
Ideally you would use trusted certs for all HTTPS across your network,
and if that certificate warning message ever pops up, your users
should be trained to be suspicious.
You can also use it to use a "real" cert bought from a trusted CA
(like Verisign and others), which will achieve the same results as
above, without having to install and manage your own CA.