Solved

Buying an SSL certificate for Remote Web Workplace use - advice about "reissuance"

Posted on 2009-07-07
3
462 Views
Last Modified: 2012-05-07
I am thinking about buying an SSL certificate to install on my SBS 2003 server, for use when I connect using Remote Web Workplace (I'm presently using a self-signed cert but its frankly embarrassing seeing the certificate error in front of my clients!).

I'm a little confused as to what the SSL company calls "reissuance". As I only need an entry level cert, should I buy one that comes with "unlimited reissuance", or can I just buy the cheaper one and just save a copy of the certificate somewhere?

Thanks.
0
Comment
Question by:CSHTech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 300 total points
ID: 24795331
Reissuance is if they need to reissue the certificate.  This is common to have for the first 2-4 weeks or so, but after that if you need your cert reissued then you need to pay for a new cert, or a discounted rate for reissuance.

The reasons you would normally need a cert reissued:
1) Initially corrupted certificate - this is obvious up front within minutes and will normally be reissued for free.

2) "Windows did it" corrupted certificate - certs are files and hence are just as likely as everything else to fall victim of Windows corrupting them.  This usually does not happen, but can at a rate similar to any other specific file.  This can happen anytime, but typically later into the life of the server.  You'll probably need to pay for this to get reissued unless you backed up the cert and private key to a .pfx file (read: export your cert from Certificates MMC including the private key to back it up to a .pfx file... and then copy/move that .pfx somewhere else to archive).

3) You screwed up the cert request - after issuing and installing you realize you should have issued to the alias instead of the server name, to the FQDN instead of the hostname, vice versa, you had the wrong key strength, or that you just simply had a typo.  Depending on how long it took you to realize this, you'll probably be able to replace for free.  (read: make sure to install and test your cert within a couple days after you buy it)

4) Private key compromise - this is rare, but since taking proper care of things tends to get expensive it can happen if someone hacks your server and accesses the directory with the private key.  Now you can't trust it, so you need to revoke it.  Expect to get charged for this.  If this is a concern, look into generating the private key on an HSM (note these are very expensive even for the cheap ones) to provide the best protection against attackers.

5) You need to reissue under a different root certificate from that vendor.  Many of the big cert vendor names (Verisign, Comodo, etc.) own many roots both under their own name and under the names of the various companies that they have purchased over the years.  Due to this, there can be occasional compatibility issues that they may be able to take care of by reissuing the cert under one of their other roots instead of the primary one for whichever type of cert you are looking at.  Again, with timely testing this is normally included in the original couple weeks that they all offer.

Reissuance is important from the cert vendor during the first few days, maybe weeks.  After that it is a safety net for those that don't know how to backup their certificate and private key properly (which isn't all that difficult, you just need to know to do it, which many admins don't somehow).  As you suspected, you can just back it up, archive it, and be a good admin.

Its just a marketing thing.  When you have a policy that screws people that is universal in the industry, then there is a place for a new service to cash in on.  I'm sure there are those that would argue otherwise, but I personally feel that this is legitimate - it is not the CA's job to secure your server and protect the key, it is yours - and each time they need to revoke the old one which makes their CRL grow, slowing things down for everyone eventually, one grain of sand at a time, not to mention the extra bandwidth and other related real costs.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24795400
As a side note, I recommend having a couple flash drives, they're getting cheap enough now, and securing them in a sealed envelope for each server - one for onsite, one for offsite (as a minimum).  Since these will have the private key, it is recommended to not store the .pfx on the server and only archive on offline media like the flash drives.  Also control access to these fobs - keep them locked up in a drawer, safe, or something.  It is best to have a separate pair of fobs for each server, but realistically this is not normally necessary - they are very small (@ 1-2 kB) so pretty much any size will suffice for many servers.  If you have a larger admin team you may wish to split off by job type (unix vs. windows, web servers vs. non-web servers, etc.).
0
 

Author Closing Comment

by:CSHTech
ID: 31600580
Thank you for your time and effort on this - it's much appreciated.
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question