You can improve the security of a multi-server Sybase IQ setup by assigning each server a unique certificate that is signed by a common root certificate. You can improve it further using a certificate signed by a commercial certificate authority. Such a certificate is called a global certificate or a globally-signed certificate. A commercial certificate authority is an organization that is in the business of creating high-quality certificates and using these certificates to sign other certificates.
A global certificate has the following advantages:
Security requires that both parties trust the root certificate. In the case of inter-company communication, common trust in an outside, recognized authority may increase confidence in the security of the system because a certificate authority must guarantee the accuracy of the identification information in any certificate that it signs.
Security is enhanced when keys are created using pseudo-random data of high quality. The data used with the gencert utility is of cryptographic quality, but other, even better methods can be used in controlled environments.
The private key for the root certificate must remain private. An enterprise may not have a suitable place to store this crucial information, whereas a certificate authority can afford to design and maintain dedicated facilities.
When using a globally signed certificate, each client must verify certificate field values to avoid trusting certificates that the same certificate authority has signed for other clients. This process is described in the next section.
