Re: Slightly OT: SSL certs - best practice?

[Ian G <iang_(_at_)_iang_(_dot_)_org>]

Hi all,

Clemens Renner wrote:
> Hi James,
>
> I would advise against using wildcard certificates. There certainly are 
> situations where this might be adequate but I'm in favor of a single 
> server certificate for each service that uses a different (virtual) 
> host. Thus, I have created several certificates for Apache SSL hosts 
> plus certificates for mail serving, etc.

An alternative to wildcard certificates
is the SAN or SubjectAltName method
documented here:

http://wiki.cacert.org/wiki/VhostTaskForce

It seems to work, I've used it (note that
the primary CN should be duplicated in the
SAN list).

> > PS - Once I've worked out how exactly I'm supposed to be doing this,
> > I'll probably get some "officially" signed certs. I hear CACert are a
> > good, free way of doing this. Anyone got any comments on that?
...
> I'd say the same thing applies to 
> certificates signed by a CA that does not do a "real" verification of 
> the requesting person by which I mean that you probably don't need to go 
> somewhere and show some official ID to prove that you are in fact you.


OK, just to clarify here - CAcert's system of
verification includes (in general) checking of
identity documents in a person-to-person process.

Once people have been
verified to their standard - they call it their
assurance process - the assured user can issue
certs with names in them, using a "class 3" root;
before that, users can only issue unnamed certs
using an anon "class 1" root.

(Whether this works for you, all depends.)

iang

PS: I gather that the "class 3" and "class 1"
convention comes from verisign.
_______________________________________________
freebsd-security_(_at_)_freebsd_(_dot_)_org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe_(_at_)_freebsd_(_dot_)_org"