You don't have to add the name to the SAN. From our perspective the duplicate
functionality actually lets us go through the request process for every machine
that needs to have the cert, and each one of them can be a different platform.
They also are then tracked on the Digicert site so I can tell if I have 10 or
100 legitimate servers using it. The caveat about it getting away is still
valid. If someone has access to the cert it is relatively trivial to convert
formats, etc., to use it pretty much anywhere you want. You do have to be able
to provide appropriate DNS resolution to make that viable though. Sorry,
that'll probably start a big discussion on DNS security. :)
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Ferguson, Chris
Sent: Tuesday, May 24, 2016 1:24 PM
To: [email protected]
Subject: RE: [NTSysADM] SSL Certificate
With the duplicate, you're actually putting a name in the SAN, so I'm not sure
that this particular use case exists with Digicert?
Or, probably more accurately, I don't understand your risk...
Chris Ferguson
IT Manager, Infrastructure and Operations | NEPC, LLC
P: +1 (617) 395-7329 | M: +1 (978) 257-9789
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Brian Desmond
Sent: Tuesday, May 24, 2016 12:59 PM
To: [email protected]
Subject: RE: [NTSysADM] SSL Certificate
Just keep good track of the wildcard. The downside of losing a single name cert
is somebody can go be foo.contoso.com, when you misplace a wildcard (until it
gets revoked), someone can go be *.contoso.com.
Thanks,
Brian Desmond
(w) 312.625.1438 | (c) 312.731.3132
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Ferguson, Chris
Sent: Tuesday, May 24, 2016 10:44 AM
To: [email protected]
Subject: Re: [NTSysADM] SSL Certificate
Ah, yes... Another +10 for the wildcard cert - makes deployment far easier.
> On May 24, 2016, at 11:40 AM, Melvin Backus <[email protected]> wrote:
>
> +10 for Digicert. They are a bit more expensive than GoDaddy, but way cheaper
> than Verisign / Thawte. I cannot possibly say enough about their support
> team. I've had cases where they actually called me to help before I even
> open a ticket. They also have free duplicates so if you have a need for a
> wildcard, etc., it makes it really easy to deal with across multiple
> platforms.
>
> --
> There are 10 kinds of people in the world...
> those who understand binary and those who don't.
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> On Behalf Of Ferguson, Chris
> Sent: Tuesday, May 24, 2016 10:27 AM
> To: [email protected]
> Subject: Re: [NTSysADM] SSL Certificate
>
> I use Digicert. They have a great customer service model. If I make a
> mistake, they walk me through it without charge.
>
> If I have trouble installing a certificate, they help me out there too.
>
>
>> On May 24, 2016, at 9:23 AM, Liby Philip Mathew <[email protected]>
>> wrote:
>>
>> Hi,
>> I want to purchase an SSL certificate for one of our support web site.
>> Which is the most preferred SSL certificate provider? What will be the
>> approximate cost?
>> Anything specific to be considered while purchasing the certificate?
>> This is the first time I am going to purchase/use a third party certificate.
>> Appreciate any assistance.
>> TIA
>>
>> Regards
>> Mathew
>> Disclaimer
>>
>> [The information contained in this e-mail message and any attached files are
>> intended solely for the use of the individual or entity to whom they are
>> addressed. This transmission may contain information that is confidential,
>> Path Solutions Private, or exempt from disclosure under applicable law
>> and/or Path Solutions information security policy. The receiver of this
>> communication shall not transmit any part of this message unless the email
>> subject clearly classify it as "Public" or a written permission has been
>> given by the information assets owner. If you have received this e-mail in
>> error, please notify the sender immediately and delete all copies, any
>> disclosure, copying, distribution, or use of the information contained
>> herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for
>> any errors, omissions, computer viruses and other defects.]
>>
>> P Protect our planet: Do not print this email unless necessary.
>
>
>
>
>
