Educause Security Discussion mailing list archives
Re: Free SSL certs for .edu by company included in browser lists
From: Dick Jacobson <Dick.Jacobson () NDSU NODAK EDU>
Date: Fri, 17 Nov 2006 10:33:50 -0600
On Fri, 17 Nov 2006, Steve Lovaas wrote: Against my wishes, we purchased a wildcard for one of our institutions (*.<inst>.edu) about a month ago. I was informed two days ago that it does not play well with all the browsers (I think it was the recently upgraded Outlook). Everything at the third level of naming (www.<inst>.edu) will work but anything above that (www.<dept>.<inst>.edu) fails.
The primary gotcha of using wildcard SSL certs (one cert valid for *.yourorg.edu) is that you need to have a mechanism to distribute them to everyone in your organization who wants to run an HTTPS site. If you don't adequately protect this distribution mechanism, then someone can bring up a rogue site in your org (so long as they can get the DNS and firewall permissions right) with an SSL that guarantees the client that they're connecting to a legitimate site hosted by you. Also, you need to be very careful about expiration date, since a wildcard cert would make ALL SSL-secured sites go invalid on the same day some years in the future when you're probably no longer there to remember what to do :) Steve Lovaas Colorado State University Jeff Giacobbe wrote: <snip>We have not tried the wildcard certificate yet (it almost sounds too good to be true.) Has anyone had experience with wildcard certs - from any vendor? Are there any pitfalls to using one as opposed to a traditional hostname-based cert?<snip> -- ============================================================== Steven Lovaas, MSIA, CISSP Network & Security Resource Manager Academic Computing & Network Services Colorado State University 970-297-3707 Steven.Lovaas () ColoState EDU ==============================================================
----------------------------------------------------------------------- Dick Jacobson e-mail : Dick.Jacobson () ndus NoDak edu NDUS IT Security Officer office : IACC 206, NDSU ND HECN MultiUser Host SysAdd phone : 701-231-7385 -----------------------------------------------------------------------
Current thread:
- Free SSL certs for .edu by company included in browser lists Gary Flynn (Nov 17)
- <Possible follow-ups>
- Re: Free SSL certs for .edu by company included in browser lists Charlie Prothero (Nov 17)
- Re: Free SSL certs for .edu by company included in browser lists Vuong Phung (Nov 17)
- Re: Free SSL certs for .edu by company included in browser lists Br. Kenneth Arnold (Nov 17)
- Re: Free SSL certs for .edu by company included in browser lists Consolvo, Corbett (Nov 17)
- Re: Free SSL certs for .edu by company included in browser lists Jeff Giacobbe (Nov 17)
- Re: Free SSL certs for .edu by company included in browser lists Steve Lovaas (Nov 17)
- Re: Free SSL certs for .edu by company included in browser lists Dick Jacobson (Nov 17)
- Re: Free SSL certs for .edu by company included in browser lists Steve Lovaas (Nov 17)
- Re: Free SSL certs for .edu by company included in browser lists Julian Thompson (Nov 17)