Tuesday, August 9, 2011

Wildcard vs. CN certificates or how to reduce the pain of management of SSL certificates

If you use reverse proxy, e.g. with Apache or Microsoft ISA Server/TMG 2010 you might already ran into one of those:
- some certificates are public signed, others are from the internal CA
- validity of certificates is from 1 year to 3 years, and nobody knows why not all are good for 3 years
- every certificate has a another validity start date and expiration date
- it is exhausting to renew certificates with Subject Alternative names
- each web site or ssl listerner has its own certificate
- no (semi)-automatic certificate renew process

May you can run this with 5 web sites in this way, but what if you have 20,40,180 and more websites on your reverse proxy.

So what?
- Request next time only 2048bit RSA certificates
- Secure internal-only and external-facing websites with public certificates
- Don't buy certificates on a daily basis, get  as many as you can from one public CA. Makes troubleshooting much easier.
- Request one wildcard certificate, so instead of www.domain.com use *.domain.com
- Wildcard certificates do not work with all services, if so use at least SAN entries
- Buy/request certificates for 3 year instead of 1 year
- Renew certificates in a bulk, e.g. every January and start the renew process early
- create a script with openssl or a certreq.inf file
e.g. a inf file to request a certificate from a internal Windows CA

[NewRequest]
Subject="CN=win4012.crypto-live.org"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
SMIME = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC


[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2


[RequestAttributes]
CertificateTemplate = CLWebServer ;Omit line if CA is a stand-alone CA
SAN="dns=win4012.crypto-live.org&dns=cl4000.crypto-live.org"



And here we are with the batch file, to complete this post.

echo ================  >> certreq.log
certreq -f -NEW win4012.inf win4012.csr >> certreq.log
CertReq -f -Submit -f -config "win4011.crypto-live.org\AAA Crypto Live 4000" win4012.csr win4012.cer  >> certreq.log
CertReq -accept win4012.cer  >> certreq.log



No comments: