Wildcard certificates used to have a stigma attached to them; however I didn’t really know where that stigma came from, except that it was considered “best practice” not to use them under certain circumstances.
So I did a bit of digging – let’s start with the gold standard for Certificate Authorities (CA) - VeriSign, gold standard by price first, since most other CA’s appear to offer more flexibility for less cost, but that’s another matter. So the gold standard must be around trust – should trust cost you more? And how is that trust measured? Obviously I’m looking at this with my consumer hat on, thinking something’s costing me more money from one vendor, than from another – is there a good reason for a commodity costing more?
Putting my IT hat back on - Looking at the security reasons stated for NOT using wildcard certificates, most tended to centre on having to revoke certificates, the management pain of replacing certificates, etc, but most of those reasons were quoted on other sites came from VeriSign in the first place.
Putting my consumer hat back on I shopped around a bit and I noticed that I could buy a DigiCert wildcard certificate with unique key pairs for separate servers if I needed them, as well as specifying a Subject Alternate Name (SAN) entry for Windows Mobile 5 use, for a not much more money that I would spend on a SAN cert at DigiCert. Food for thought indeed…..
So - my requirements for certificates tend to centre on Exchange 2007 and Exchange 2010. Both support Wildcard certificates with minimal adjustments. The same applies to Outlook 2007/2010 as well. Older versions of Windows mobile won’t – my condolences if you’re still using Windows mobile 5.
But wait – what about the security implications of using wildcard certificates?
“Security: If one server or sub-domain is compromised, all sub-domains may be compromised.”
Most of the security issues that could such a compromise include loss of physical security, un-patched OS or application vulnerabilities allowing such a breach, etc. I’d like to suggest that if you’re in a position NOT to buy a wildcard certificate due to these concerns, that you may be facing bigger issues.
That’s quite brave of me to say, since I’m obviously not on your network, nor am I a secure or commercially sensitive organisation where loss of reputation concerns outweigh operational efficiencies or even cost concerns.
Let’s be honest, the biggest reason in my mind to use wildcard certificates is cost and convenience. Generating a SAN cert the first time round can be daunting if you’ve never done it, and having a SAN cert re-done due to a name change, or listing names in the wrong order can cost you a fair whack, depending on how many names need to change or be added to the certificate.
We don’t have reliable stats in the market as to breaches from regular certificates versus wildcard certificates. For the fact that this list doesn’t exist – or I haven’t been able to find one – seems to indicate that the folks who really care aren’t keeping a list? I’m sure that if one existed, a brave marketing person would have used to sell more non-wildcard certificates or CA’s would have stopped selling wildcard certificates. I’m happy to be corrected on this point!
Looking at the various options available in the market and I’ve only compared VeriSign and DigiCert, there are a number of security enhancements to wildcard certificates available which should outweigh the theoretical security risks of not using them. Added to that, most of the security risks that would expose you to such a breach are mitigated by good operational practice – i.e. patching, firewall log review, regular penetration testing, up to date antivirus, etc.
In my mind the only reason NOT to use a wildcard certificate is due to an application which doesn’t support it – Like OCS, or older client software, OR you’ve made up your mind that for whatever reason, you just CAN’T.
If you’re in the position to look at buying certificates and wildcard certificates could work for you, why wouldn’t YOU buy them?