TLS Wildcard certificates

beadsbeads Member Posts: 1,533 ■■■■■■■■■□
Does thoughts on using wildcard certificates?

Personally, I don't like the optics or the rationale that one certificate is acceptable given the inherent risks. Am I going overboard on the protection front or is this something one would expect to see as more normal. Coming from highly secure environments this would be unheard of but things may have changed.

Thank-you in advance.

- b/eads

Comments

  • IristheangelIristheangel Mod Posts: 4,133 Mod
    It's useful for certain things like guest and system portals for internal use. There's certain things you can't use them for (i.e. EAP authentication) and I would go the way of SAN certs in that case. It all really depends on what you need the certificate for. In most cases, a SAN cert might do the trick over a wildcard cert.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • PocketLumberjackPocketLumberjack Member Posts: 162 ■■■□□□□□□□
    Digicert made a nice wildcard Cert for Stack Overflow recently, it's a good read if you are interested in Certificates and PKI.

    Edit:

    Link to the blog post:
    https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/
    Learn some thing new every day, but don’t forget to review things you know.
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    Good for securing internal environment including firewalls, appliances, servers, ESXi, RDP. Kinda useful as Chrome tend to complain about unrecognised certs.

    For internet facing, it depends on your industry.Banks will use EV certs for that additional assurance. You can get free SSL from Let's Encrypt via scripts and even automate the cert renewal process.

    I would also strengthen internal environment crypto config limiting it to TLS 1.2 and PFS ciphers only.

    You can consider having a internal CA to secure all internal devices and automatically issuing certs to windows servers for RDP, SQL, intranet web portals use.. Using GPO to push your CA cert into trusted CA group on all internal windows endpoints. Or you can get external recognised CA to sign your internal CA.
  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    I prefer not to use them because if the cert is stolen it can be used on any subdomain. I prefer to get a cert for the specific site and add the required SANS.
    When you go the extra mile, there's no traffic.
  • beadsbeads Member Posts: 1,533 ■■■■■■■■■□
    Respondents;

    Than-you for the support of my own conclusion on this topic. Greatly and humbly appreciated. Wait? Did I say humble? Never-mind. icon_redface.gif
    I prefer not to use them because if the cert is stolen it can be used on any subdomain. I prefer to get a cert for the specific site and add the required SANS.

    There are so many reasons not to use one cert its not funny but the universal basket of golden eggs is probably the obvious. Tried to figure out how often certs are recalled on the CRL? Pfft! That was an exercise in futility unto itself.
Sign In or Register to comment.