SSL Certificate Question

I'm told by a commercial CA that just because a CSR might contain email address information (because the server process needed to create the CSR requires an admin's email address entry amongst other things), that the email address will not appear to the outside world in the certificate after they've signed it. Our security Chief has concerns and says (paraphrasing): "the CA doesn't care - it will"

1) Is this true?

2) Even if it did, what's the risk or threat?

Thanks.

Apache Web ServerSSL / HTTPSSecurity

Last Comment

DOLAdmin

8/22/2022 - Mon

ASKER CERTIFIED SOLUTION

lisfolks

9/24/2012

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

GET A PERSONALIZED SOLUTION

Ask your own question & get feedback from real experts

Find out why thousands trust the EE community with their toughest problems.

DOLAdmin

9/25/2012

ASKER

lisfolks thanks. Not an easy question to formulate for me but yes, it would seem to make sense the way you explained it. Key thing being: if it were visible in anyway through a "View SSL Certificate" screen or "get SSL info/properties" command, how and/or could it be used/leveraged by bad guys (aside from perhaps spammers)?

Just making sure its a common thing (using valid email addresses in CSR's) for most who deploy servers in DMZ's. Trying to pass a company security scan for a server...

Thanks.

SOLUTION

freshcontent

9/25/2012

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

GET A PERSONALIZED SOLUTION

Ask your own question & get feedback from real experts

Find out why thousands trust the EE community with their toughest problems.

DOLAdmin