Re: Load balancer and Security Certificates

[Steve Hillman <hillman@sfu.ca>]

----- "Rich Graves" <rgraves@carleton.edu> wrote:

> > definitely the avenue to pursue.  Our networking group wouldn't let
> us 
> > acquire wildcard certs
> 
> I would advise against too-promiscuous use of a single *.example.edu
> key. If any one service is compromised, then all others are
> effectively unencrypted.

Feel free to flame me if I have this incorrect, as I'm not a cert/SSL expert, but with the Digicert wildcard cert, you don't actually use the *same* cert on every service. Each service still has its own private key (which you should protect with a passphrase), and when bringing up a new service, you just go to the digicert site and feed in your CSR, and it'll return you a wildcard cert. You can generate as many such certs as you want for the same flat fee. 

So if a hacker breaks into one of your SSL systems and steals the cert & key, they can't then use that to decrypt other SSL conversations. Nor can they set up a site in your domain unless they're able to crack the passphrase on the key. Of course, if you run a service that requires that your key not be password-protected, then you're vulnerable (so you might not want to put those ones on the wildcard cert)

-- 
Steve Hillman                                IT Architect
hillman@sfu.ca                               IT Infrastructure
778-782-3960                                 Simon Fraser University
Sent from Zimbra