Slightly OT: SSL certs - best practice?
Clemens Renner
claim at rinux.net
Tue May 16 00:15:26 UTC 2006
Hi James,
I would advise against using wildcard certificates. There certainly are
situations where this might be adequate but I'm in favor of a single
server certificate for each service that uses a different (virtual)
host. Thus, I have created several certificates for Apache SSL hosts
plus certificates for mail serving, etc.
One point might be: If someone manages to set up a host in the namespace
of the wildcard certificate and presents the cert once the host is
accessed, it looks like you have accredited that specific host since you
probably signed that wildcard cert.
Whether you use single certs for pop.netinertia.co.uk,
imap.netinertia.co.uk etc. or one generic name for all services related
to your mail -- that's a matter of taste, I guess. In any case, I
wouldn't stick with wildcards.
> PS - Once I've worked out how exactly I'm supposed to be doing this,
> I'll probably get some "officially" signed certs. I hear CACert are a
> good, free way of doing this. Anyone got any comments on that?
The problem with self-signed certs is just that they usually aren't
trustworthy, as you may have noticed. I'd say the same thing applies to
certificates signed by a CA that does not do a "real" verification of
the requesting person by which I mean that you probably don't need to go
somewhere and show some official ID to prove that you are in fact you.
The problem with fraud is mis-placed trust. And people (read: those who
decide which CA certs to include in a product by default) tend to put
stronger trust in something that requires money for someone to vouch for
you.
On the other hand, I haven't had any bad experience with the following
approach: I created my own CA and have used it to sign my certs. I've
instructed all of my users how to import and trust that CA cert and
we're done. You only need to do this once to get any cert signed by that
CA accepted from that point on.
Clemens
More information about the freebsd-security
mailing list