Tuesday, 28 June 2011

SSL Certificate Frequently Asked Questions

What is a wildcard certificate?

Security Risk:

Use of Wildcard SSL Certificates is strongly discouraged for most use cases. If possible try to make use of other certificate types such as multi-domain certificates. When you deploy a wildcard certificate and private key across multiple websites and servers, a single site compromise will result in the compromise of the entire sub domain. Also note that not all applications are compatible with wildcard certificates. In particular, many mobile applications will not work with wildcards.

Wildcard Certificates secure multiple subdomains with a single SSL Certificate. For example, you want to secure, and, you can use a wildcard certificate to secure all 3 sub domains under *

There is a limitation on the way wildcard certificates work. This goes across the board for all Certificate Authorities. Wildcard certificates only support one level up in the fully qualified domain name.
For example, if we create a certificate for the common name of *, will work; will not work. will not work either.

When generating a Certificate Signing Request (CSR) for a Wildcard certificate, add an asterisk (*) to the left of the Common Name where you want to specify the wildcard.

What is multiple domain SSL certificate?

Multi domain certificate makes it possible to secure up to 100 domains on the same server with a single certificate. It is best for shared hosting environment. It must be reissued each time you want to add a new host/domain name to the certificate.

When generating a CSR for multiple domain certificate, enter the primary domain name in common name field. Let us know the rest of domain names you want to be included in the certificate.

What is Unified Communications Certificates?

Unified Communications Certificate is multi domain certificate specifically designed for use with Microsoft Exchange and Microsoft Office Communications servers.

What is Extended Validation Certificates?

Extended Validation EV SSL Certificates are the next generation SSL certificate because they work with high security Web browsers to clearly identify a Website's organizational identity. For example, if you use Internet Explorer 7.0, Firefox 3.0 or Opera 9.5 the address bar will turn green to identity this site as having an EV SSL certificate. A display next to the URL will toggle between the organization name and the certificate and the Certificate Authority that issued the SSL Certificate. The green bar means that a third party has validated the legitimacy of the business, the business' right to use the domain name, and the High- Assurance SSL Certificate was legitimately obtained.

Generating a CSR for EV certificate is the same as generating the CSR for a single domain SSL certificate.

Can I get a certificate for a host in a none domain?

Yes - as long as Cornell owns the domain. Send your request to Identity Management support.
To ensure the university's compliance with the InCommon agreement, requests for certificates outside of domains are subject to extra vetting and approval, by both the university and InCommon. To begin your request, send email to requesting the domain to be added, and IDM SSL admin will initiate the process of validating your domain with InCommon. After the domain is validated, you can then request a certificate for a host in that domain through normal channel.

No comments:

Post a Comment