Educause Security Discussion mailing list archives
Re: Wildcard certs; to use or not to use
From: Sherry Callahan <scallahan () KUMC EDU>
Date: Wed, 5 Dec 2012 20:21:38 +0000
We use a wildcard cert on our main web server to cover www.kumc.edu<http://www.kumc.edu> and all the tertiary domains that the University seems to host as long as they are simple informational sites and none of the sites have anything to do with sensitive information. We use UC certificates to secure our Exchange environment and a few other similar situations. Otherwise, all servers have their own certs. The hypothetical risk is that the wildcard cert could be compromised, hence compromising the encryption on any server using the wildcard cert. We use Digicert so cost is not an issue - it’s free for us to request as many certs as we want. Yes, we have to maintain the certs and replace them when they expire, but Digicert does a great job of tracking expiration dates for us as well. Hope this helps, Sherry Callahan Information Security Office University of Kansas Medical Center (913) 588-0966 | scallahan () kumc edu<mailto:scallahan () kumc edu> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Wiseman Sent: Tuesday, December 04, 2012 2:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Wildcard certs; to use or not to use Has anyone used wildcard certs for their university domain? What are the pros and cons? We are in the process of moving our public pages to a hosting site and I've been asked if wildcard certs can be used. I assessed using wild card certs in the past (based on the way they wanted to use them) and deemed the risk was to great. The environment they want to do this in now is with multiple domains on one IP address. Any input would be appreciated. Wildcard certs are issued to a number of department administrators here. Our practice around using them is that they must be administered by one IT group only to maintain the security of the private key. This is usually useful since many departments make use of a single domain level and, with a wildcard cert, they have only one cert/key to worry about renewing and replacing. Mike Mike Wiseman Manager, Information Security Information + Technology Services University of Toronto
Current thread:
- Wildcard certs; to use or not to use Mike Fox (Dec 04)
- Re: Wildcard certs; to use or not to use Brian Helman (Dec 04)
- Re: Wildcard certs; to use or not to use Jacobson, Dick (Dec 04)
- Re: Wildcard certs; to use or not to use Kevin Halgren (Dec 04)
- Re: Wildcard certs; to use or not to use Jacobson, Dick (Dec 04)
- Re: Wildcard certs; to use or not to use Dennis Bolton (Dec 04)
- Re: Wildcard certs; to use or not to use Jacobson, Dick (Dec 04)
- Re: Wildcard certs; to use or not to use Brian Helman (Dec 04)
- Re: Wildcard certs; to use or not to use Sherry Callahan (Dec 05)