Educause Security Discussion mailing list archives
Re: Wildcard certs; to use or not to use
From: "Jacobson, Dick" <dick.jacobson () NDUS EDU>
Date: Tue, 4 Dec 2012 17:29:25 +0000
My understanding is that the Subject Alt Name (SAN) is designed for this scenario – multiple hosts on a single box (IP address ?) – and the wildcard was designed for multiple boxes. We do use wildcard certs – very sparingly ! From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian Helman Sent: Tuesday, December 04, 2012 9:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Wildcard certs; to use or not to use We have been using wildcard certs for a few years now. We do not use the same cert on all devices. Data Center services (applications) use a couple certs; network devices (e.g. FW, VPN, etc) use another. The cost of a wildcard isn’t that much more than a single-server cert (we use digicert) and it is widely supported. They make cert-management much easier. I would keep a separation of classes of devices you use certs on, but if one is ever compromised, it can always be revoked. -Brian Helman From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Mike Fox Sent: Tuesday, December 04, 2012 10:19 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Wildcard certs; to use or not to use Has anyone used wildcard certs for their university domain? What are the pros and cons? We are in the process of moving our public pages to a hosting site and I've been asked if wildcard certs can be used. I assessed using wild card certs in the past (based on the way they wanted to use them) and deemed the risk was to great. The environment they want to do this in now is with multiple domains on one IP address. Any input would be appreciated. Mike Fox Georgia Southern University Information Security Office (912)478-1592 Jeremiah 29:11-16
Current thread:
- Wildcard certs; to use or not to use Mike Fox (Dec 04)
- Re: Wildcard certs; to use or not to use Brian Helman (Dec 04)
- Re: Wildcard certs; to use or not to use Jacobson, Dick (Dec 04)
- Re: Wildcard certs; to use or not to use Kevin Halgren (Dec 04)
- Re: Wildcard certs; to use or not to use Jacobson, Dick (Dec 04)
- Re: Wildcard certs; to use or not to use Dennis Bolton (Dec 04)
- Re: Wildcard certs; to use or not to use Jacobson, Dick (Dec 04)
- Re: Wildcard certs; to use or not to use Brian Helman (Dec 04)
- Re: Wildcard certs; to use or not to use Sherry Callahan (Dec 05)