+ Reply to Thread
Results 1 to 6 of 6
  1. Senior Member
    Join Date
    Mar 2011
    Location
    Chicago
    Posts
    1,325

    Certifications
    CISSP-ISSAP, HCISPP GPEN, GSEC, GSNA, GCIH, E|CH, ECSA, Security+
    #1

    Default TLS Wildcard certificates

    Does thoughts on using wildcard certificates?

    Personally, I don't like the optics or the rationale that one certificate is acceptable given the inherent risks. Am I going overboard on the protection front or is this something one would expect to see as more normal. Coming from highly secure environments this would be unheard of but things may have changed.

    Thank-you in advance.

    - b/eads
    Reply With Quote Quote  

  2. SS -->
  3. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,726

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #2
    It's useful for certain things like guest and system portals for internal use. There's certain things you can't use them for (i.e. EAP authentication) and I would go the way of SAN certs in that case. It all really depends on what you need the certificate for. In most cases, a SAN cert might do the trick over a wildcard cert.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  4. Senior Member PocketLumberjack's Avatar
    Join Date
    Oct 2015
    Posts
    145

    Certifications
    CCENT, CompTIA N+, ITIL Foundation
    #3
    Digicert made a nice wildcard Cert for Stack Overflow recently, it's a good read if you are interested in Certificates and PKI.

    Edit:

    Link to the blog post:
    https://nickcraver.com/blog/2017/05/...tack-overflow/
    2017 Goals:
    (X) CCENT ( ) First 1/2 of CCNA CyberOps ( ) Complete 1/2 of WGU BS CIA
    Not Started| In Progress |Done
    C182 C836 C779 C393 C394 C173 C837 C178 C838 C175 C170 C176 C839 C840 C841 C842 C843 C844 C845 C769
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jul 2015
    Location
    Island on the other side of Pacific pond
    Posts
    964

    Certifications
    C****, C***, C**
    #4
    Good for securing internal environment including firewalls, appliances, servers, ESXi, RDP. Kinda useful as Chrome tend to complain about unrecognised certs.

    For internet facing, it depends on your industry.Banks will use EV certs for that additional assurance. You can get free SSL from Let's Encrypt via scripts and even automate the cert renewal process.

    I would also strengthen internal environment crypto config limiting it to TLS 1.2 and PFS ciphers only.

    You can consider having a internal CA to secure all internal devices and automatically issuing certs to windows servers for RDP, SQL, intranet web portals use.. Using GPO to push your CA cert into trusted CA group on all internal windows endpoints. Or you can get external recognised CA to sign your internal CA.
    Reply With Quote Quote  

  6. Achieve excellence daily
    Join Date
    May 2012
    Location
    Washington State
    Posts
    1,379

    Certifications
    CISSP
    #5
    I prefer not to use them because if the cert is stolen it can be used on any subdomain. I prefer to get a cert for the specific site and add the required SANS.
    When you go the extra mile, there's no traffic.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Mar 2011
    Location
    Chicago
    Posts
    1,325

    Certifications
    CISSP-ISSAP, HCISPP GPEN, GSEC, GSNA, GCIH, E|CH, ECSA, Security+
    #6
    Respondents;

    Than-you for the support of my own conclusion on this topic. Greatly and humbly appreciated. Wait? Did I say humble? Never-mind.

    Quote Originally Posted by NotHackingYou View Post
    I prefer not to use them because if the cert is stolen it can be used on any subdomain. I prefer to get a cert for the specific site and add the required SANS.
    There are so many reasons not to use one cert its not funny but the universal basket of golden eggs is probably the obvious. Tried to figure out how often certs are recalled on the CRL? Pfft! That was an exercise in futility unto itself.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks