Tuesday, 9 August 2011

Taking Advantage of Wildcard Certificates

If you've done some SSL Certificate research, you would notice that SSL providers only allow one domain to use one SSL certificate. This means that buying an SSL certificate for example dot com will not give you SSL security for www.example dot com or secure.example dot com. Most people can get away with only one SSL certificate, but what about those who use several domain names? Here's an example of a website that uses several domain names: shop.bigbusiness dot com, secure.bigbusiness dot com, buy.bigbusiness dot com, and mail.bigbusiness dot com.

You may buy SSL certificates for every additional subdomain on your website, but costs will significantly increase if you need certificates for four or more subdomains. Fortunately, you have the option to go for wildcard certificates that allow you to use one SSL certificate on an unlimited number of subdomains.

Wildcard? What's that?

You might be curious what "wildcard" means in "wildcard certificate". In computer terminology, a wildcard is basically a sybol, usually an asterisk (*), what stands to be replaced by another character or string. Very simply, an asterisk may mean any word. For example, *.example dot com refers to all subdomains of example dot com like mail.example dot com, secure.example dot com, news.example dot com, etc.

The "Common Name" field in an SSL certificate indicates the domain in which the certificate will be used. Wildcard certificates are basically certificates with wildcards in the Common Name, like *. bigbusiness dot com. If, in the future, you choose to get a wildcard certificate, you will be asked to supply the Common Name.

Good Things About Wildcard Certificates

Purchasing just one Wildcard Certificate for all your subdomains will obviously save you a lot of money. A typical SSL certificate costs about $150 which is fine if you only use a few subdomains, but with five subdomains, you’ll need to shell out $750. Think about how much money you can save if, let's say, you own a website with 10 subdomains needing SSL security. That's already $1,500. Comparing that to wildcard certificates that only cost $600 each, you save $900. The websites of big companies will sometimes need SSL on over 30 subdomains.

Manageability is another benefit to using wildcard certificates. It's not easy to purchase, set up, and then renew annually a number of SSL certificates. It's an extremely error-prone task for a single person to manage so many SSL certificates all at once. Fixing those errors will cost you money. On the otherhand, think about worrying about just a single wildcard certificate. Managing just one certificate is a much simpler task. Errors, in this case, become rare.

The Bad Things about Wildcard Certificates

Using wildcard certificates does have some drawbacks. The first thing that experts will point out is problems with security. Big websites are usually run by multiple servers, and by sharing one wildcard certificate, they share a single private decryption key. This means that if someone manages to compromise one of your servers and retrieve the decryption key, every subdomain on every server that uses the same certificate is also compromised.

All subdomains will cease to work if the wildcard certificate is revoked for any reason. Until you fix the wildcard certificate or get individual SSL certificates for each subdomain, you may have to put your website on down time.

The last thing you should know is that Extended Verification (EV) does not work with wildcard certificates. What is EV in the first place? It's a set of stringent rules that certificate providers use when approving applications for SSL certificates. EV was meant to increase public confidence in SSL. Wildcards in the Common Name are not allowed by EV guidelines. The green address bar feature only works in EV SSL Certificate, so you don't get that feature with wildcard certificates.

No comments:

Post a Comment