TLS Wildcard certificates

Does thoughts on using wildcard certificates?

Personally, I don't like the optics or the rationale that one certificate is acceptable given the inherent risks. Am I going overboard on the protection front or is this something one would expect to see as more normal. Coming from highly secure environments this would be unheard of but things may have changed.

Thank-you in advance.

- b/eads

Find more posts tagged with

Comments

Iristheangel

It's useful for certain things like guest and system portals for internal use. There's certain things you can't use them for (i.e. EAP authentication) and I would go the way of SAN certs in that case. It all really depends on what you need the certificate for. In most cases, a SAN cert might do the trick over a wildcard cert.

PocketLumberjack

Digicert made a nice wildcard Cert for Stack Overflow recently, it's a good read if you are interested in Certificates and PKI.

Edit:

Link to the blog post:
https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/

Mike7

Good for securing internal environment including firewalls, appliances, servers, ESXi, RDP. Kinda useful as Chrome tend to complain about unrecognised certs.

For internet facing, it depends on your industry.Banks will use EV certs for that additional assurance. You can get free SSL from Let's Encrypt via scripts and even automate the cert renewal process.

I would also strengthen internal environment crypto config limiting it to TLS 1.2 and PFS ciphers only.

You can consider having a internal CA to secure all internal devices and automatically issuing certs to windows servers for RDP, SQL, intranet web portals use.. Using GPO to push your CA cert into trusted CA group on all internal windows endpoints. Or you can get external recognised CA to sign your internal CA.

NotHackingYou

I prefer not to use them because if the cert is stolen it can be used on any subdomain. I prefer to get a cert for the specific site and add the required SANS.

beads

Respondents;

Than-you for the support of my own conclusion on this topic. Greatly and humbly appreciated. Wait? Did I say humble? Never-mind.

NotHackingYou wrote: »

I prefer not to use them because if the cert is stolen it can be used on any subdomain. I prefer to get a cert for the specific site and add the required SANS.

There are so many reasons not to use one cert its not funny but the universal basket of golden eggs is probably the obvious. Tried to figure out how often certs are recalled on the CRL? Pfft! That was an exercise in futility unto itself.