asked on
SSL Certificates Multi vs. Singles
Dear Experts,
My "in-house" Exchange Server has an SSL UC/SAN Certificate from DigiCert to secure the OWA access.
I would like to install an SSL Certificate also in my Cisco ASA Firewall in order the remote users to access the VPN with SSL Certificate.
And in the near future, I would like to add an SSL to my Web Site which is currently under construction.
Q1) Is it possible to use the existing Certificate of Exchange Server by adding the subdomain assigned to the VPN?
Q2) If yes, and a user who is accessing the Exchange OWA opens the browsers SSL padlock will he be able to see all the subdomains assigned to this SSL Certificate?
Since, in that case, it will help a possible hacker to see the available subdomains.
Q3) Security wise, is it recommended to have one Certificate with various subdomains to cover various applications and Services or is it better to issue different SSL Certificates for each platform/service?
Thank you in advance,
Mamelas
2. a Yes you can see all the SAN entries on a certificate.
2. b Yes but they are hostnames not subdomains.
3. As Rodney has pointed out, a wildcard cert is probably best for your requirements.
Certificates
</P>
ASKER
It is good to hear that with a Wildcard Certificate the SANs cannot be seen, on the other hand as per @Deman recommendation a renewal of a Wildcard generated with errors would cause a big headache and trouble.
Its more clear now of what each type of SSL can offer, but on the other hand I am confused.
Wildcard is easier to maintain but vulnerable in case of misconfiguration, separate certificates are the opposite.
If you mean modify a cert, then no.
You can always generate a new cert, covering whatever hosts/domains you like.
Q2) If yes, and a user who is accessing the Exchange OWA opens the browsers SSL padlock will he be able to see all the subdomains assigned to this SSL Certificate? Since, in that case, it will help a possible hacker to see the available subdomains.
See #1.
This depends on how you generate the cert.
For example if you look at CloudFlare certs, when CloudFlare HTTPS is working, you'll see sometimes 100s or more sites covered.
This seems like a huge security flaw to me, as any cert cracked, then gives access to all site HTTPS conversations.
I'd avoid this like the plague.
Q3) Security wise, is it recommended to have one Certificate with various subdomains to cover various applications and Services or is it better to issue different SSL Certificates for each platform/service?
a) Use https://LetsEncrypt.org for free certs that are recognized by all client software now + are rock solid.
b) https://www.experts-exchange.com/questions/29178012/Exporting-a-UCC-SSL-to-a-Windows-Apache-Web-Server-and-Configuring-Apache-to-use.html provides good coverage of initial cert generation + setting up hands-free, auto-renewals, forever.
c) For me I only create either a simple cert covering the bare domain + www, or a simple cert covering a single host (members, dev, whatever) or if 60+ hosts require coverage on a single domain use a wildcard cert.
The 60+ hosts coverage wildcard cert is a LetsEncrypt requirement, as 61+ hosts will be rejected for cert generation.
ASKER
To be fair, I have marked DEMAN-BARCELO (MVP) Thierry as the one who has provided the solution since he was the first covering the biggest part of my questions.
Some browsers/ssl stacks have limits on the size a complete certificate can be when transmitted in the call setup.
(The whole certificate is part of the SSL exchange during setup, so short certificates have their benefits.