Link to home
Start Free TrialLog in
Avatar of DOLAdmin
DOLAdmin

asked on

SSL Certificate Question

I'm told by a commercial CA that just because a CSR might contain email address information (because the server process needed to create the CSR requires an admin's email address entry amongst other things), that the email address will not appear to the outside world in the certificate after they've signed it.  Our security Chief has concerns and says (paraphrasing): "the CA doesn't care - it will"

1) Is this true?

2) Even if it did, what's the risk or threat?

Thanks.
ASKER CERTIFIED SOLUTION
Avatar of lisfolks
lisfolks

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of DOLAdmin
DOLAdmin

ASKER

lisfolks thanks.  Not an easy question to formulate for me but yes, it would seem to make sense the way you explained it.  Key thing being: if it were visible in anyway through a "View SSL Certificate" screen or "get SSL info/properties" command, how and/or could it be used/leveraged by bad guys (aside from perhaps spammers)?

Just making sure its a common thing (using valid email addresses in CSR's) for most who deploy servers in DMZ's.  Trying to pass a company security scan for a server...

Thanks.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks!