Re: SSL/SSH certifiactes

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

You might be able to use IPSCA (2 yr certs- free for Education) for
official certs that don't cost $$$ but you'd need a ton of them. 

If you use dns names for your devices, I suppose you could use a wildcard
dns or multidomain cert or something like that.  You could create an
internal private zone in a new or existing dns server that no one knew
existed except your network team and unless you had your computer
configured to look it up, you would not by default be able to resolve or
query names therein.  If you used a new dns server, you could restrict who
ould query against it with a firewall.  Then install the same cert on them
all and see how it works.  Also, if you have security around who can
access the switches in the first place, you might not have to worry so
much about the dns names unless you name switches with obvious names.  I'm
not sure it's the best idea, but it's one.

D/C

The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> We are currently reviewing our network security.�  One of the tools we
> are using in this process is reporting a vulnerability as a result of
> using self signed certificates on our Cisco IOS devices (switches,
> routers, access points) for ssh and ssl connections.�  Rather than
> purchase 300 certificates to address this issue I thought I would ask
> what others are doing in this area.
>
> � 
>
> Thank you
>
> Bruce Entwistle
>
> Network Manager
>
> University of Redlands