Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Free SSL certs for .edu by company included in browser lists

From: Steve Lovaas <steven.lovaas () COLOSTATE EDU>
Date: Fri, 17 Nov 2006 09:25:43 -0700
The primary gotcha of using wildcard SSL certs (one cert valid for
*.yourorg.edu) is that you need to have a mechanism to distribute them
to everyone in your organization who wants to run an HTTPS site. If you
don't adequately protect this distribution mechanism, then someone can
bring up a rogue site in your org (so long as they can get the DNS and
firewall permissions right) with an SSL that guarantees the client that
they're connecting to a legitimate site hosted by you.

Also, you need to be very careful about expiration date, since a
wildcard cert would make ALL SSL-secured sites go invalid on the same
day some years in the future when you're probably no longer there to
remember what to do :)

Steve Lovaas
Colorado State University



Jeff Giacobbe wrote:
<snip>


We have not tried the wildcard certificate yet (it almost sounds too
good to be true.) Has anyone had experience with wildcard certs - from
any vendor?  Are there any pitfalls to using one as opposed to a
traditional hostname-based cert?


<snip>
--
==============================================================
Steven Lovaas, MSIA, CISSP
Network & Security Resource Manager
Academic Computing & Network Services
Colorado State University
970-297-3707
Steven.Lovaas () ColoState EDU
==============================================================
Previous By Date Next
Previous By Thread Next

Current thread: