Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Wildcard certs; to use or not to use
From: "Jacobson, Dick" <dick.jacobson () NDUS EDU>
Date: Tue, 4 Dec 2012 18:21:41 +0000

Agreed.  But letting the wildcard cert expire causes its own issues.  Yes - one  of our institutions did that.

We have an academic license with one of the CAs that allows us unlimited certs for all our system institutions, and a 
managed system that gives us six notices before the cert expires.  My response was based on this.  Managing these 
manually would be a nightmare I would not want to undertake.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
Halgren
Sent: Tuesday, December 04, 2012 11:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Wildcard certs; to use or not to use

It depends on the nature of the content being protected.  For much securing much general traffic, a wildcard cert that 
is centrally managed and well documented is preferable to a large number of individual certs with varying expiration 
dates all over the place.  Moving to wildcard certs has reduced the overhead of managing and tracking all those certs 
and dates, reducing the incidence of expired certs on active systems to almost nil and enabling us to secure more web 
traffic than we likely would have if we had to pay for a separate cert for each system.  It has also made it easier for 
us to ensure academic or federated units are maintaining security - when they don't have to absorb the cost of the cert 
or deal with the administrative overhead it gives them incentive to have us manage the service. Note that we don't hand 
the wildcard cert out.


On the other hand, we don't use it for other types of traffic.  We certainly don't use it on anything that relates to 
PCI other highly sensitive data that would be costly if the traffic were compromised.

Kevin
----- Original Message -----
From: "Jacobson, Dick" <dick.jacobson () NDUS EDU<mailto:dick.jacobson () NDUS EDU>>
Date: Tuesday, December 4, 2012 11:29 am
Subject: Re: [SECURITY] Wildcard certs; to use or not to use
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
My understanding is that the Subject Alt Name (SAN) is designed for this scenario - multiple hosts on a single box 
(IP address ?) - and the wildcard was designed for multiple boxes.

We do use wildcard certs - very sparingly !


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Brian Helman
Sent: Tuesday, December 04, 2012 9:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Wildcard certs; to use or not to use

We have been using wildcard certs for a few years now.  We do not use the same cert on all devices.  Data Center 
services (applications) use a couple certs; network devices (e.g. FW, VPN, etc) use another.   The cost of a wildcard 
isn't that much more than a single-server cert (we use digicert) and it is widely supported.  They make 
cert-management much easier.  I would keep a separation of classes of devices you use certs on, but if one is ever 
compromised, it can always be revoked.

-Brian Helman

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<javascript:main.compose('new',%20't=[mailto:SECURITY () LISTSERV EDUCAUSE EDU]')> On Behalf Of Mike Fox
Sent: Tuesday, December 04, 2012 10:19 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<javascript:main.compose('new',%20't=SECURITY () LISTSERV EDUCAUSE EDU')>
Subject: [SECURITY] Wildcard certs; to use or not to use

Has anyone used wildcard certs for their university domain? What are the pros and cons? We are in the process of 
moving our public pages to a hosting site and I've been asked if wildcard certs can be used. I assessed using wild 
card certs in the past (based on the way they wanted to use them) and deemed the risk was to great.

The environment they want to do this in now is with multiple domains on one IP address.

Any input would be appreciated.

Mike Fox
Georgia Southern University
Information Security Office
(912)478-1592

Jeremiah 29:11-16




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]