Educause Security Discussion mailing list archives
Re: WildCard Certificates
From: Dexter Caldwell <dexter.caldwell () FURMAN EDU>
Date: Fri, 22 Nov 2013 12:34:34 +0000
I tend to not prefer the use of wildcards a lot but there are some uses for it. If you end up with one, be sure to limit who has access to it and its password and train your admins not to just use it all over the place. I generally don't use them on servers that secure if I can prevent it. Sharepoint is kind of an exception because it can have so many domain names and a SAN cert might not suffice easily. However, you could even use a different wildcard cert for just that application if you wanted. If you are highly distributed and cannot protect the wildcard cert, then SAN certs may be a reasonable alternative. What I've found is if you don't keep an eye on admin use of wildcard certs, they use it for any and everything because it's easier, quicker, cheaper and they don't have to wait on an order or the network team for NAT translations etc. Outsde of just the risk you have already identified, the downside is you find out that everyone has the cert and its password because they've shared it and often don't mark it as non-exportable, etc. The biggest booger of all can be just the herculean effort required to replace all of the certs that used it when it expires assuming your admins properly documented which ones they deployed. It helps if you have a person who manages those certs. Sometimes applications that use certificates have really quirky requirements for deploying certs and unless you documented the ones you haven't touched in a few years, you'll probably spend a long time renewing certs and sweating bullets when they expire. On the other hand, the date of expiry is common and known so you can technically plan for the onslaught. D/C -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gramke, Jim Sent: Friday, November 22, 2013 7:21 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] WildCard Certificates I've got an administrator who is pushing me towards using a wildcard certificate for our domain. I don't like the idea because if one server compromises the private key, all the other servers' ssl is also potentially compromised. Does anybody have any evidence or opinion for or against you'd be willing or eager to share? Thanks, Jim
Current thread:
- WildCard Certificates Gramke, Jim (Nov 22)
- Re: WildCard Certificates Gramke, Jim (Nov 22)
- Re: WildCard Certificates Dexter Caldwell (Nov 22)
- Re: WildCard Certificates Dexter Caldwell (Nov 22)
- Re: WildCard Certificates Gramke, Jim (Nov 22)