Phishing question.

I have a tcp server application that uses certificates for tls/ssl and stored in the pkcs#12 file. Assuming a CA is installed somewhere on the network and is accessible, would it be normal practice to request a ssl certificate from the CA (once), programmatically (C#) and write it out to the pkcs#12 file for use by the server.

Would that be normal practice, or would the more likely scenario be a case of buying the certificate from a CA like Thawte or Versign etc, specically for that customer, and creating the pkcs#12 file beforehand, and installing as part of installation process.

I think this is a case where the argument can go either way.

Programmatic certificate requests and signing have their merits if you need to manage a large number of sites, at the loss of human-mediated validation if something goes horribly wrong (for example, if someone hijacks or listens in on your initial request). At some point, a trust decision needs to be made, either programmatically, or as a human operator.

This paper by Bruce Schneier goes into more detail, discussing potential risks to the CA architecture underpinning the trust decisions for PKI cryptography. I believe this covers many cases that are pertinent to your issue and your design that you may not have, and should, consider.