[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Load balancer and Security Certificates



> definitely the avenue to pursue.  Our networking group wouldn't let us 
> acquire wildcard certs

I would advise against too-promiscuous use of a single *.example.edu key. If any one service is compromised, then all others are effectively unencrypted.

However, if your email has its own DNS subdomain and everything is managed by the same people in the same way behind the same loadbalancer, then go ahead.

Btw, if you are OK with potential problems with embedded devices, you can get free wildcard certs at certs.ipsca.com. The main client problems we've seen are with Java runtimes and Windows Mobile, both of which are really hard to fix at the client end. So we continue to pay for Thawte certs for the most visible services (including Zimbra), but use IPSCA for most web sites.
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-646-7079 Cell: 952-292-6529