Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wildcard Certificates - Do they work?


On Jul 27, 2009, at 4:47 PM, Matt Federoff wrote:

Dear Fellow Server Wranglers,

We use a variety of OS X server services and my users are getting tired of "invalid certificate" messages. 

Having not purchased certs in a while, I went to go buy some and noted the new "wildcard" certs that claim to be able to secure multiple hosts in one domain with one certificate. 

ie "mail.foo.com, chat.foo.com, etc" 

Does this work? Do they work with OS X Server? 

How do you install it? The same cert on every server in question? 

Anyone done this?

Matt - let me get a little pedantic here, just so you have this information.
The late Michael Bartosh referred to this openladp maling list post by Howard Chu of Symas corp:


RFC2459 does not permit the use of wildcards in the subject DN of a cert. The specification only allows wildcards to be used in the subjectAltName extension. Any organizations and software packages supporting wildcards in the subject DN are broken, and cannot be considered to have a reliable security implementation.

SSL and certificates are not just some Magic Security Solution that can be used arbitrarily without any thought. It is important to understand exactly what these things are for. A certificate *certifies* that an entity is exactly who it claims to be. As such, a certificate with a wildcarded subject DN is pure nonsense - "hello, my name is <every possible entity of Example.COM>". The use of wildcards in the subjectAltName also have a very clear meaning. When presenting such a cert, the entity is saying "Hello, my name is server1.example.com AND I can accept requests on behalf of other servers in example.com." Again, the point of a certificate is to uniquely and unambiguously identify something, because you cannot make any conclusions about the integrity of a transaction if you cannot unambiguously identify who you're transacting with. Without such an assurance, there is no security, and you may as well not bother using certificates at all.

That being said, wildcard certs are a common practice.

I can't speak to using them for services other than web.


Arek Dreyer - Dreyer Network Consultants, Inc
Chicago-based 773-251-8931    email@hidden
Apple Certified Trainer, Apple Certified System Administrator



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >Wildcard Certificates - Do they work? (From: Matt Federoff <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.