Re: SSL certificate purchasing

[David Lundy <dlundy () PACIFIC EDU>]

I have found vulnerability scans to be a useful tool for finding certs, particularly on ports other than 443.

David Lundy
University of the Pacific

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Baumgartner, Mark A.
Sent: Thursday, November 13, 2014 10:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SSL certificate purchasing

I would second David's recommendation.  The InCommon service has worked great for us as well.  No complaints.

For institutions that use one (or a few) wildcard certs because of budgetary constraints, tools like nmap could also 
assist with discovering servers listening on port 443 on the IP ranges of your webservers.  It can also display the 
cert being used with a command like > nmap -p 443 --script=ssl-cert x.x.x.x


Mark Baumgartner
Creighton University


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Lundy
Sent: Thursday, November 13, 2014 12:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SSL certificate purchasing

We explicitly disallow the use of the wildcard in the top level of our domain: *.pacific.edu.  If one of the servers 
with this cert is compromised, the cert is compromised for all servers and would allow the intruder use the cert at 
will.

Incommon works well for us.  Server groups can initiate cert requests directly to InCommon, our IT Security approves, 
cert is processed.  While this level of service is not guaranteed, turnaround is usually a few minutes.  No muss, no 
fuss.

David Lundy
University of the Pacific

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Cunningham
Sent: Thursday, November 13, 2014 10:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SSL certificate purchasing

That can be a pain. It does require keeping good documentation on where it was installed.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Thursday, November 13, 2014 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SSL certificate purchasing

We've considered that. How do you keep up with everywhere it's used when time to renew?

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
[AusColl_Logo_Email]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Cunningham
Sent: Thursday, November 13, 2014 12:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SSL certificate purchasing

We get a wildcard cert from COMODO that we can put on as many servers as needed for one price. We can use any *.pct.edu 
name with one cert

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Thursday, November 13, 2014 12:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] SSL certificate purchasing

We don't have enough SSL certs around to qualify for one of the "get as many as you want for one price" deals, but the 
costs do seem high for non-essential sites. Has anyone used a reseller for cheaper prices like namecheap of GoGetSSL? 
They offer the basic Thawte SSL123 certs for $35 a year, which is considerably cheaper than the $149 Thawte lists.

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
[AusColl_Logo_Email]