Re: Slightly OT: SSL certs - best practice?

Hi all,

Clemens Renner wrote:
Hi James,

I would advise against using wildcard certificates. There certainly are situations where this might be adequate but I'm in favor of a single server certificate for each service that uses a different (virtual) host. Thus, I have created several certificates for Apache SSL hosts plus certificates for mail serving, etc.

An alternative to wildcard certificates
is the SAN or SubjectAltName method
documented here:

http://wiki.cacert.org/wiki/VhostTaskForce

It seems to work, I've used it (note that
the primary CN should be duplicated in the
SAN list).

PS - Once I've worked out how exactly I'm supposed to be doing this,
I'll probably get some "officially" signed certs. I hear CACert are a
good, free way of doing this. Anyone got any comments on that?
...
I'd say the same thing applies to certificates signed by a CA that does not do a "real" verification of the requesting person by which I mean that you probably don't need to go somewhere and show some official ID to prove that you are in fact you.


OK, just to clarify here - CAcert's system of
verification includes (in general) checking of
identity documents in a person-to-person process.

Once people have been
verified to their standard - they call it their
assurance process - the assured user can issue
certs with names in them, using a "class 3" root;
before that, users can only issue unnamed certs
using an anon "class 1" root.

(Whether this works for you, all depends.)

iang

PS: I gather that the "class 3" and "class 1"
convention comes from verisign.
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: How to extend validity period of Sub CA
    ... > I have an offline root CA ... > Any certs they issue to computers in AD expire in 2006 ... You have to start at the root CA computer and extend the validity period ... Then you have to set the validity periods for certificates issued by the ...
    (microsoft.public.win2000.security)
  • Re: Using Certificates with IPSEC
    ... Make sure the certs are machine certs and not user certs. ... "Brian Komar" wrote in message ... >>> same root CA, or to CAs that are trusted by the opposite endpoint. ... > 1) You have to deploy the certificates to the two endpoint computers ...
    (microsoft.public.win2000.security)
  • Digital Certificates
    ... Consider what purpose you wish to use your certificates. ... Certificate Server is to be identified on the Internet. ... The instructions for modifying your CA for its Internet ... verification service ...
    (microsoft.public.windows.server.sbs)
  • Unknown (garbled name) certificates shown as invalid - Are they safe?
    ... I noticed under the "Certificates - Current User -> ... REQUEST -> Certificates" node that about a dozen certificates were ... Can I delete these supposedly invalid certificates? ... verified (because Outlook has problems with verification if the CA ...
    (microsoft.public.win2000.security)
  • Re: Intermediate certificate not sent as a trusted CA
    ... Is there no way to configure IIS to download the intermediate certificates? ... Not all Root CA certs are downloaded. ...
    (microsoft.public.inetserver.iis.security)