Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Wildcard certs; to use or not to use
From: Dennis Bolton <bolton () OAKLAND EDU>
Date: Tue, 4 Dec 2012 14:57:52 -0500

We are currently using a wildcard certificate at our institution and also
have an agreement with the CA's for unlimited use.

We found the wildcard allowed us to offer a good balance between security
and management overhead in our environment.  As others have stated we were
expending considerable resources purchasing, installing, tracking, and
managing the expiration date for dozens of individual certificates.

We've attempt to mitigate some of the security concerns associated with the
wildcard by only granting the minimal number of staff access to install &
mange the certificate and having criteria for machines that are eligible to
receive the certificate.   Systems that do not meet the criteria are
required to purchase and install an individual certificate.

Overall we have seen a significant decrease in management overhead and a
cost savings. With a large wildcard install base we have begun planning for
the wildcard renewal / replacement approximately 10 months in advance.

Hope this information is helpful.

On Tue, Dec 4, 2012 at 1:21 PM, Jacobson, Dick <dick.jacobson () ndus edu>wrote:

 Agreed.  But letting the wildcard cert expire causes its own issues.
Yes – one  of our institutions did that.****

** **

We have an academic license with one of the CAs that allows us unlimited
certs for all our system institutions, and a managed system that gives us
six notices before the cert expires.  My response was based on this.
Managing these manually would be a nightmare I would not want to undertake.

** **

*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
*Sent:* Tuesday, December 04, 2012 11:48 AM

*Subject:* Re: [SECURITY] Wildcard certs; to use or not to use****

** **

It depends on the nature of the content being protected.  For much
securing much general traffic, a wildcard cert that is centrally managed
and well documented is preferable to a large number of individual certs
with varying expiration dates all over the place.  Moving to wildcard certs
has reduced the overhead of managing and tracking all those certs and
dates, reducing the incidence of expired certs on active systems to almost
nil and enabling us to secure more web traffic than we likely would have if
we had to pay for a separate cert for each system.  It has also made it
easier for us to ensure academic or federated units are maintaining
security - when they don't have to absorb the cost of the cert or deal with
the administrative overhead it gives them incentive to have us manage the
service. Note that we don't hand the wildcard cert out.

On the other hand, we don't use it for other types of traffic.  We
certainly don't use it on anything that relates to PCI other highly
sensitive data that would be costly if the traffic were compromised.

----- Original Message -----
From: "Jacobson, Dick" <dick.jacobson () NDUS EDU>
Date: Tuesday, December 4, 2012 11:29 am
Subject: Re: [SECURITY] Wildcard certs; to use or not to use

My understanding is that the Subject Alt Name (SAN) is designed for
this scenario – multiple hosts on a single box (IP address ?) – and the
wildcard was designed for multiple boxes.****


We do use wildcard certs – very sparingly !****


** **

*From:* The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Brian Helman
*Sent:* Tuesday, December 04, 2012 9:44 AM
*Subject:* Re: [SECURITY] Wildcard certs; to use or not to use****


We have been using wildcard certs for a few years now.  We do not use
the same cert on all devices.  Data Center services (applications) use a
couple certs; network devices (e.g. FW, VPN, etc) use another.   The cost
of a wildcard isn’t that much more than a single-server cert (we use
digicert) and it is widely supported.  They make cert-management much
easier.  I would keep a separation of classes of devices you use certs on,
but if one is ever compromised, it can always be revoked.****


-Brian Helman****


*From:* The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Mike Fox
*Sent:* Tuesday, December 04, 2012 10:19 AM
*Subject:* [SECURITY] Wildcard certs; to use or not to use****


Has anyone used wildcard certs for their university domain? What are
the pros and cons? We are in the process of moving our public pages to a
hosting site and I've been asked if wildcard certs can be used. I assessed
using wild card certs in the past (based on the way they wanted to use
them) and deemed the risk was to great.

The environment they want to do this in now is with multiple domains on
one IP address.

Any input would be appreciated.

*Mike Fox*
Georgia Southern University
Information Security Office

Jeremiah 29:11-16****


** **

Dennis Bolton
Network Security Analyst
Oakland University
2200 N Squirrel Road Rochester MI 48309

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]