Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Community Forums
 Community Discussions (All other subjects)
 Anyone used a wildcard SSL cert?
 New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

lofty
Junior Member

USA
158 Posts

Posted - 29 September 2003 :  16:16:17  Show Profile  Visit lofty's Homepage
Has anyone used a wildcard SSL cert?

I wan't to avoid having to pay the fee for a separate cert for www.domain.com, smtp.domain.com, pop.domain.com, webmail.domain.com, etc. I figured a wildcard SSL would help, but I have a couple questions:

1. Can a wildcard SSL secure domains that exist on different servers? e.g. secure pop email on serverA and secure website on serverB?

2. Can a wilcard SSL be generated for different server types, or do they all share the same server type? For example IIS uses a different certificate format than Apache/OpenSSL.

Thanks, this SSL thing is quite a racket.

Adam Lofstedt

Classicmotorcycling
Development Team Leader

Australia
2085 Posts

Posted - 29 September 2003 :  21:59:27  Show Profile
Lofty,

I am not sure on wild card certs, but I know that if you purchase only one (1) cert for a domain, then it can not be used on another server. I work for a major bank here in Australia and we have some number of servers for the web pages, and have been advised that we need to purchase a cert for each server, even though they are the same site.

It ended up costing us mega dollars when we found out as we used to only buy one (1) cert for the entire web farm. So you may have to purchase a seperate cert for each server. Check with the company you are going to purchase the cert from first to confirm.

Also the cert that is generated for IIS is different than that for Apache/OpenSSL, so you will need to get different certs.

Cheers,

David Greening
Go to Top of Page

dayve
Forum Moderator

USA
5820 Posts

Posted - 29 September 2003 :  22:52:35  Show Profile  Visit dayve's Homepage
quote:
Originally posted by Classicmotorcycling

Lofty,

I am not sure on wild card certs, but I know that if you purchase only one (1) cert for a domain, then it can not be used on another server. I work for a major bank here in Australia and we have some number of servers for the web pages, and have been advised that we need to purchase a cert for each server, even though they are the same site.



Yes and No, it all depends. I recently set up a Citrix Metaframe XP farm with NFuse and I was able to take advantage of what they call SSL Relay to ensure encryption existed between the NFuse Portal Server and the 5 load balanced servers in the farm.

My suggestion is this, use a cheaper SSL provider like http://www.instantssl.com which is only like $200+ bucks versus the Verisign $900+ bucks option. The only significant different I saw between the two providers is the amount of insured liabilities. The encryption is the same though.

You can also create your own certificate, but that will be considered "untrusted"... however the encryption process works just fine.

Go to Top of Page

dayve
Forum Moderator

USA
5820 Posts

Posted - 29 September 2003 :  22:53:39  Show Profile  Visit dayve's Homepage
This may be of an interest to you as well since you brought it up.. http://www.instantssl.com/ssl-certificate-products/ssl/wildcard-ssl-premiumssl_wildcard.html

Go to Top of Page

Classicmotorcycling
Development Team Leader

Australia
2085 Posts

Posted - 30 September 2003 :  05:04:15  Show Profile
Dayve,

It is Verisign we use for our certs, and we pay $AUS1800.00 per cert, they obviously see us coming.. Verisign have informed us that we need to pay for 1 cert per server, and not pay for 1 cert for all servers.
quote:
Originally posted by dayve

Yes and No, it all depends. I recently set up a Citrix Metaframe XP farm with NFuse and I was able to take advantage of what they call SSL Relay to ensure encryption existed between the NFuse Portal Server and the 5 load balanced servers in the farm.

My suggestion is this, use a cheaper SSL provider like http://www.instantssl.com which is only like $200+ bucks versus the Verisign $900+ bucks option. The only significant different I saw between the two providers is the amount of insured liabilities. The encryption is the same though.

You can also create your own certificate, but that will be considered "untrusted"... however the encryption process works just fine.
Be interesting to see if Verisign have changed their attitude towards this.

quote:
Originally on www.instantssl.com

Price:

At only $449 for a one year Certificate, PremiumSSL is the most cost effective wildcard SSL Certificate available today. With a warranty level to cover the needs of all professional websites, PremiumSSL Wildcard Certificates are the most affordable and commercially logical wildcard solution available. To help customers avoid the hassle of renewing every year, we also offer discounted 2 and 3 year Certificates. For customers requiring their wildcard Certificate to be used across multiple physical servers, we also provide discounts on multi-server licensing.
Good to see they give discounts to go on different physical servers. Thanks for the info Dayve, may have to point the powers that be to them.. A lot cheaper...

Cheers,

David Greening
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 30 September 2003 :  05:06:56  Show Profile  Visit HuwR's Homepage
quote:

I am not sure on wild card certs, but I know that if you purchase only one (1) cert for a domain, then it can not be used on another server.


That is not strictly true, it depends how the SSL was created, they can be tied to machine name (can't then move it), or a domain name. Obviously a domain name can move from one server to another, and the ssl cert with it.

a wildcard ssl is not tied to any particluar machine.
Go to Top of Page

Podge
Support Moderator

Ireland
3776 Posts

Posted - 30 September 2003 :  09:00:46  Show Profile  Send Podge an ICQ Message  Send Podge a Yahoo! Message
Even cheaper at $199 - http://www.freessl.com/chainedssl/chainedssl_wildcard.html

I've been looking at buying a cert over the last two weeks and I haven't heard any good news about InstantSSl

"Why is stability important for chained root SSL certificates?
Like FreeSSL certificates, ChainedSSL certificates are issued from a trusted CA root certificate that is owned by FreeSSL.com. Some chained root certificate providers, such as Comodo InstantSSL, do not own their own trusted root, which means that their chained root offerings are unstable. They rely on the trusted root certificate owner to allow them to issue certificates and have no control over what the owner of the certificate does with the certificate - as has recently been shown when Baltimore has decided to sell the root certificate. The only way to offer a stable chained root product is to own the root being used to issue the chained root certificates."

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.
Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 30 September 2003 :  10:17:54  Show Profile  Visit Gremlin's Homepage
I've been using FreeSSL certs since .. well, back when they were really free :) never had any real problems with them.

Kiwihosting.Net - The Forum Hosting Specialists
Go to Top of Page

Classicmotorcycling
Development Team Leader

Australia
2085 Posts

Posted - 30 September 2003 :  21:00:33  Show Profile
This is what we thought, but Verisign informed us that it was one cert, one server. We were placing the one cert across mutiple servers.
quote:
Originally posted by HuwR

That is not strictly true, it depends how the SSL was created, they can be tied to machine name (can't then move it), or a domain name. Obviously a domain name can move from one server to another, and the ssl cert with it.

a wildcard ssl is not tied to any particluar machine.

Verisign were on site to see our setup and it was discovered that we had been only paying for the use of the cert on one server and we were made to pay for the years, and the servers we installed the cert on.

I feel it would be better to check with the cert provider before placing it on other servers, just in case they find out and decide to make you pay later. Is that a fair comment?

Cheers,

David Greening
Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 01 October 2003 :  03:35:15  Show Profile  Visit Gremlin's Homepage
Not sure if personally I'd believe or trust anything Verisgn said anymore, I've lost what little respect I had for that company long before even their latest "smartfinder" stunt.

Kiwihosting.Net - The Forum Hosting Specialists
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20595 Posts

Posted - 01 October 2003 :  05:21:19  Show Profile  Visit HuwR's Homepage
I too do not like verisign.

Anyway, to verify the original first question.

Each server (machine) needs its own certificate, however when buying a wildcard SSL, it is normal practice to only charge a nominal fee (say £10) for each subsequent certificate, if it is part of the same domain as the main SSL.

Go to Top of Page

lofty
Junior Member

USA
158 Posts

Posted - 02 October 2003 :  12:56:33  Show Profile  Visit lofty's Homepage
Thanks Huwr, that makes sense, and was confirmed at by an InstantSSL technical rep.

As for going between IIS and Apache/OpenSSL type certificates, they claim that you can convert from IIS style to the PEM format of OpenSSL. That should let me secure my websites on IIS and my mail server that uses Stunnel for secure POP email.

Thanks for the responses everyone.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.3 seconds. Powered By: Snitz Forums 2000 Version 3.4.07