Wildcard Digital Cert or Per Server Digital Certificate

[mlchris2]

I was tasked with a project to find out which option the company should go with in regards to SSL certificates.

The Network Manager is out on vacation and I am doing research awaiting his return, so I dont have alot of information.

We currently have a un-signed certificate and the question was asked "do we go with a Signed Certificate and if so, how/what/why".

I've done a little research and the best option that I can see is to get a wildcard certificate, however there is one major downfall to this, and if we have to revoke the cert, we have to do it on every server.

so my question is;

* is it worth the extra money to buy a Digital Cert for every server (my knowledge we have 20 servers or so) or is the above issue with the wildcard certs not that big of deal?

* Also, what is the recommendations as far as implementing certificates in a Windows 2003/2008 Server domain. We are currently running Certificate Services but how it is configured, I dont have all the facts.

I would like your opinions, advice, etc.


Mark C.

 

[ITPangaeaArchitect]

Ok so here's the deal. If your websites that wwill be encrypted are public facing, you will want to go with a certificate from someone like verisign to secure the site (downside being, no client side cert reqs can be implemented). however, for internal/employee only sites, in other words, those you can distribute a certificate to freely, it is perfectly acceptable, and cost effective, ot go with an internal CA structure.

In the last certificate redesign i did for a major fortune 500 company, i came up with a cost saving of over 800k/yr just for public to private certificate swaps, combined with internal dept to dept charging of costs as specified within the business rules....

hope this helps

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[mlchris2]

Yea it does. I think for cost sake and the fact that we have 100's of workstations, servers, routers, switches, Linux machines, we could probably stick with our internal CA structure. Most of what we are doing is all internally based anyway and seems to be working fine.

However, I was tasked with this project to find a solution to a few issues we are having when going from Internal to Public... if that's understandable??? We have a Web Security device when Internal users send requests out to a HTTP or HTTPS site, this Web Security device fails to process the request because it cannot accept the Certificate request from the HTTP/HTTPS site... cause we are using a unsigned root cert.

It was noted to me by the Network Manager that we have Linux and MAC servers/workstations that no one knows the SSL side of these.

So my thought was this...

purchase a Wildcard certificate from a CA, import that into our internal CA structure... thus resolving the issue with the Web Security device. the only downside is with this, if we have to revoke the cert for any reason... we have to do it on the 100's of devices that use it.

The only option i can think of is purchase a "specific" root CA for this Security device and somehow load it into our internal structure and keep the rest of the devices on the internal CA.

Any ideas? I am doing research on the web currently but am lost as I know minimal about Certs, etc.

Mark

Mark C.