Author |
Topic  |
|
lofty
Junior Member
 
USA
158 Posts |
Posted - 29 September 2003 : 16:16:17
|
Has anyone used a wildcard SSL cert?
I wan't to avoid having to pay the fee for a separate cert for www.domain.com, smtp.domain.com, pop.domain.com, webmail.domain.com, etc. I figured a wildcard SSL would help, but I have a couple questions:
1. Can a wildcard SSL secure domains that exist on different servers? e.g. secure pop email on serverA and secure website on serverB?
2. Can a wilcard SSL be generated for different server types, or do they all share the same server type? For example IIS uses a different certificate format than Apache/OpenSSL.
Thanks, this SSL thing is quite a racket.
Adam Lofstedt |
|
Classicmotorcycling
Development Team Leader
    
Australia
2085 Posts |
Posted - 29 September 2003 : 21:59:27
|
Lofty,
I am not sure on wild card certs, but I know that if you purchase only one (1) cert for a domain, then it can not be used on another server. I work for a major bank here in Australia and we have some number of servers for the web pages, and have been advised that we need to purchase a cert for each server, even though they are the same site.
It ended up costing us mega dollars when we found out as we used to only buy one (1) cert for the entire web farm. So you may have to purchase a seperate cert for each server. Check with the company you are going to purchase the cert from first to confirm.
Also the cert that is generated for IIS is different than that for Apache/OpenSSL, so you will need to get different certs.
|
Cheers, David Greening |
 |
|
dayve
Forum Moderator
    
USA
5820 Posts |
Posted - 29 September 2003 : 22:52:35
|
quote: Originally posted by Classicmotorcycling
Lofty,
I am not sure on wild card certs, but I know that if you purchase only one (1) cert for a domain, then it can not be used on another server. I work for a major bank here in Australia and we have some number of servers for the web pages, and have been advised that we need to purchase a cert for each server, even though they are the same site.
Yes and No, it all depends. I recently set up a Citrix Metaframe XP farm with NFuse and I was able to take advantage of what they call SSL Relay to ensure encryption existed between the NFuse Portal Server and the 5 load balanced servers in the farm.
My suggestion is this, use a cheaper SSL provider like http://www.instantssl.com which is only like $200+ bucks versus the Verisign $900+ bucks option. The only significant different I saw between the two providers is the amount of insured liabilities. The encryption is the same though.
You can also create your own certificate, but that will be considered "untrusted"... however the encryption process works just fine. |
|
 |
|
dayve
Forum Moderator
    
USA
5820 Posts |
|
Classicmotorcycling
Development Team Leader
    
Australia
2085 Posts |
Posted - 30 September 2003 : 05:04:15
|
Dayve,
It is Verisign we use for our certs, and we pay $AUS1800.00 per cert, they obviously see us coming.. Verisign have informed us that we need to pay for 1 cert per server, and not pay for 1 cert for all servers. quote: Originally posted by dayve
Yes and No, it all depends. I recently set up a Citrix Metaframe XP farm with NFuse and I was able to take advantage of what they call SSL Relay to ensure encryption existed between the NFuse Portal Server and the 5 load balanced servers in the farm.
My suggestion is this, use a cheaper SSL provider like http://www.instantssl.com which is only like $200+ bucks versus the Verisign $900+ bucks option. The only significant different I saw between the two providers is the amount of insured liabilities. The encryption is the same though.
You can also create your own certificate, but that will be considered "untrusted"... however the encryption process works just fine.
Be interesting to see if Verisign have changed their attitude towards this.
quote: Originally on www.instantssl.com
Price:
At only $449 for a one year Certificate, PremiumSSL is the most cost effective wildcard SSL Certificate available today. With a warranty level to cover the needs of all professional websites, PremiumSSL Wildcard Certificates are the most affordable and commercially logical wildcard solution available. To help customers avoid the hassle of renewing every year, we also offer discounted 2 and 3 year Certificates. For customers requiring their wildcard Certificate to be used across multiple physical servers, we also provide discounts on multi-server licensing.
Good to see they give discounts to go on different physical servers. Thanks for the info Dayve, may have to point the powers that be to them.. A lot cheaper...
|
Cheers, David Greening |
 |
|
HuwR
Forum Admin
    
United Kingdom
20595 Posts |
Posted - 30 September 2003 : 05:06:56
|
quote:
I am not sure on wild card certs, but I know that if you purchase only one (1) cert for a domain, then it can not be used on another server.
That is not strictly true, it depends how the SSL was created, they can be tied to machine name (can't then move it), or a domain name. Obviously a domain name can move from one server to another, and the ssl cert with it.
a wildcard ssl is not tied to any particluar machine. |
 |
|
Podge
Support Moderator
    
Ireland
3776 Posts |
Posted - 30 September 2003 : 09:00:46
|
Even cheaper at $199 - http://www.freessl.com/chainedssl/chainedssl_wildcard.html
I've been looking at buying a cert over the last two weeks and I haven't heard any good news about InstantSSl
"Why is stability important for chained root SSL certificates? Like FreeSSL certificates, ChainedSSL certificates are issued from a trusted CA root certificate that is owned by FreeSSL.com. Some chained root certificate providers, such as Comodo InstantSSL, do not own their own trusted root, which means that their chained root offerings are unstable. They rely on the trusted root certificate owner to allow them to issue certificates and have no control over what the owner of the certificate does with the certificate - as has recently been shown when Baltimore has decided to sell the root certificate. The only way to offer a stable chained root product is to own the root being used to issue the chained root certificates." |
Podge.
The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)
My Mods: CAPTCHA Mod | GateKeeper Mod Tutorial: Enable subscriptions on your board
Warning: The post above or below may contain nuts. |
 |
|
Gremlin
General Help Moderator
    
New Zealand
7528 Posts |
Posted - 30 September 2003 : 10:17:54
|
I've been using FreeSSL certs since .. well, back when they were really free :) never had any real problems with them. |
Kiwihosting.Net - The Forum Hosting Specialists
|
 |
|
Classicmotorcycling
Development Team Leader
    
Australia
2085 Posts |
Posted - 30 September 2003 : 21:00:33
|
This is what we thought, but Verisign informed us that it was one cert, one server. We were placing the one cert across mutiple servers.quote: Originally posted by HuwR
That is not strictly true, it depends how the SSL was created, they can be tied to machine name (can't then move it), or a domain name. Obviously a domain name can move from one server to another, and the ssl cert with it.
a wildcard ssl is not tied to any particluar machine.
Verisign were on site to see our setup and it was discovered that we had been only paying for the use of the cert on one server and we were made to pay for the years, and the servers we installed the cert on.
I feel it would be better to check with the cert provider before placing it on other servers, just in case they find out and decide to make you pay later. Is that a fair comment?
|
Cheers, David Greening |
 |
|
Gremlin
General Help Moderator
    
New Zealand
7528 Posts |
Posted - 01 October 2003 : 03:35:15
|
Not sure if personally I'd believe or trust anything Verisgn said anymore, I've lost what little respect I had for that company long before even their latest "smartfinder" stunt. |
Kiwihosting.Net - The Forum Hosting Specialists
|
 |
|
HuwR
Forum Admin
    
United Kingdom
20595 Posts |
Posted - 01 October 2003 : 05:21:19
|
I too do not like verisign.
Anyway, to verify the original first question.
Each server (machine) needs its own certificate, however when buying a wildcard SSL, it is normal practice to only charge a nominal fee (say £10) for each subsequent certificate, if it is part of the same domain as the main SSL.
|
 |
|
lofty
Junior Member
 
USA
158 Posts |
Posted - 02 October 2003 : 12:56:33
|
Thanks Huwr, that makes sense, and was confirmed at by an InstantSSL technical rep.
As for going between IIS and Apache/OpenSSL type certificates, they claim that you can convert from IIS style to the PEM format of OpenSSL. That should let me secure my websites on IIS and my mail server that uses Stunnel for secure POP email.
Thanks for the responses everyone. |
 |
|
|
Topic  |
|