Educause Security Discussion mailing list archives
Re: SSL certificate purchasing
From: David Lundy <dlundy () PACIFIC EDU>
Date: Thu, 13 Nov 2014 19:00:28 +0000
I have found vulnerability scans to be a useful tool for finding certs, particularly on ports other than 443. David Lundy University of the Pacific From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Baumgartner, Mark A. Sent: Thursday, November 13, 2014 10:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SSL certificate purchasing I would second David's recommendation. The InCommon service has worked great for us as well. No complaints. For institutions that use one (or a few) wildcard certs because of budgetary constraints, tools like nmap could also assist with discovering servers listening on port 443 on the IP ranges of your webservers. It can also display the cert being used with a command like > nmap -p 443 --script=ssl-cert x.x.x.x Mark Baumgartner Creighton University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Lundy Sent: Thursday, November 13, 2014 12:37 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SSL certificate purchasing We explicitly disallow the use of the wildcard in the top level of our domain: *.pacific.edu. If one of the servers with this cert is compromised, the cert is compromised for all servers and would allow the intruder use the cert at will. Incommon works well for us. Server groups can initiate cert requests directly to InCommon, our IT Security approves, cert is processed. While this level of service is not guaranteed, turnaround is usually a few minutes. No muss, no fuss. David Lundy University of the Pacific From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Cunningham Sent: Thursday, November 13, 2014 10:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SSL certificate purchasing That can be a pain. It does require keeping good documentation on where it was installed. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Thursday, November 13, 2014 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SSL certificate purchasing We've considered that. How do you keep up with everywhere it's used when time to renew? Thomas Carter Network and Operations Manager Austin College 903-813-2564 [AusColl_Logo_Email] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Cunningham Sent: Thursday, November 13, 2014 12:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SSL certificate purchasing We get a wildcard cert from COMODO that we can put on as many servers as needed for one price. We can use any *.pct.edu name with one cert From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas Carter Sent: Thursday, November 13, 2014 12:58 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] SSL certificate purchasing We don't have enough SSL certs around to qualify for one of the "get as many as you want for one price" deals, but the costs do seem high for non-essential sites. Has anyone used a reseller for cheaper prices like namecheap of GoGetSSL? They offer the basic Thawte SSL123 certs for $35 a year, which is considerably cheaper than the $149 Thawte lists. Thomas Carter Network and Operations Manager Austin College 903-813-2564 [AusColl_Logo_Email]
Current thread:
- SSL certificate purchasing Thomas Carter (Nov 13)
- Re: SSL certificate purchasing Mike Cunningham (Nov 13)
- Re: SSL certificate purchasing Jones, Mark B (Nov 13)
- Re: SSL certificate purchasing Thomas Carter (Nov 13)
- Re: SSL certificate purchasing Leonard Nelson (Nov 13)
- Re: SSL certificate purchasing Thomas Carter (Nov 13)
- Re: SSL certificate purchasing Mike Cunningham (Nov 13)
- Re: SSL certificate purchasing David Lundy (Nov 13)
- Re: SSL certificate purchasing Roger A Safian (Nov 13)
- Re: SSL certificate purchasing Baumgartner, Mark A. (Nov 13)
- Re: SSL certificate purchasing David Lundy (Nov 13)
- Re: SSL certificate purchasing Jones, Mark B (Nov 13)
- Re: SSL certificate purchasing Mike Cunningham (Nov 13)
- Re: SSL certificate purchasing Maloney, Michael (Nov 13)
- Re: SSL certificate purchasing Glassman, Stephen (Nov 13)
- Re: SSL certificate purchasing Mark Montague (Nov 13)
- Re: SSL certificate purchasing Nick Semenkovich (Nov 13)
- <Possible follow-ups>
- Re: SSL certificate purchasing Judd, Taylor Allen (Nov 13)