Home page logo

educause logo Educause Security Discussion mailing list archives

Re: WildCard Certificates
From: Dexter Caldwell <dexter.caldwell () FURMAN EDU>
Date: Fri, 22 Nov 2013 12:34:34 +0000

I tend to not prefer the use of wildcards a lot but there are some uses for it.  If you end up with one,  be sure to 
limit who has access to it and its password and train your admins not to just use it all over the place.  I generally 
don't use them on servers that secure if I can prevent it.  Sharepoint is kind of an exception because it can have so 
many domain names and a SAN cert might not suffice easily.  However, you could even use a different wildcard cert for 
just that application if you wanted.  If you are highly distributed and cannot protect the wildcard cert, then SAN 
certs may be a reasonable alternative.  What I've found is if you don't keep an eye on admin use of wildcard certs, 
they use it for any and everything because it's easier, quicker, cheaper and they don't have to wait on an order or the 
network team for NAT translations etc.  Outsde of just the risk you have already identified,  the downside is you find 
out that everyone has the cert and its password because they've shared it  and often don't mark it as non-exportable, 
etc.  The biggest booger of all can be just the herculean effort required to replace all of the certs that used it when 
it expires assuming your admins properly documented which ones they deployed.  It helps if you have a person who 
manages those certs.  Sometimes applications that use certificates have really quirky requirements for deploying certs 
and unless you documented the ones you haven't touched in a few years, you'll probably spend a long time renewing certs 
and sweating bullets when they expire.  On the other hand, the date of expiry is common  and known so you can 
technically plan for the onslaught.   


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gramke, 
Sent: Friday, November 22, 2013 7:21 AM
Subject: [SECURITY] WildCard Certificates

I've got an administrator who is pushing me towards using a wildcard certificate for our domain.   I don't like the 
idea because if one server compromises the private key, all the other servers' ssl is also potentially compromised.    
Does anybody have any evidence or opinion for or against you'd be willing or eager to share?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]