Ok, so this might be a little off topic but I am trying to validate something a vendor is telling me and hoping some people here have expertise in this area... I am working with a SSL certificate provider. I am trying to purchase a quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 domains. Vendor is telling me that the Wildcard certificates are licensed per physical device it is installed on. This means instead of using a single wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 servers. This does not compute in my brain and also in my mind completely defeats the purpose of a wildcard cert as I know it. Has anyone run into this before? Thanks Blake
Yes, some SSL providers (mostly the overpriced ones) like to "license" their certs on a per-server basis. If you read the contract language, this is how it's written. However, this is strictly a contractual issue, not a technical one. It's just a way to squeeze more money out of people who don't know any better. Speaking strictly from a technical standpoint, there is nothing at all stopping you from using the same cert/keys on as many servers as you'd like. There are SSL providers out there that are reasonable about the whole thing and sell you a cert, not a single-device-license. - Pete On 12/27/2012 2:47 PM, Blake Pfankuch wrote:
Ok, so this might be a little off topic but I am trying to validate something a vendor is telling me and hoping some people here have expertise in this area...
I am working with a SSL certificate provider. I am trying to purchase a quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 domains. Vendor is telling me that the Wildcard certificates are licensed per physical device it is installed on. This means instead of using a single wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 servers.
This does not compute in my brain and also in my mind completely defeats the purpose of a wildcard cert as I know it. Has anyone run into this before?
Thanks Blake
Many vendors do this and I highly recommend someone like Digicert that won't play the per-machine licensing game with you. Sent from my iPhone On Dec 27, 2012, at 11:47 AM, Blake Pfankuch <blake@pfankuch.me> wrote:
Ok, so this might be a little off topic but I am trying to validate something a vendor is telling me and hoping some people here have expertise in this area...
I am working with a SSL certificate provider. I am trying to purchase a quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 domains. Vendor is telling me that the Wildcard certificates are licensed per physical device it is installed on. This means instead of using a single wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 servers.
This does not compute in my brain and also in my mind completely defeats the purpose of a wildcard cert as I know it. Has anyone run into this before?
Thanks Blake
On Thu, Dec 27, 2012 at 2:47 PM, Blake Pfankuch <blake@pfankuch.me> wrote:
Ok, so this might be a little off topic but I am trying to validate something a vendor is telling me and hoping some people here have expertise in this area...
I am working with a SSL certificate provider. I am trying to purchase a quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 domains. Vendor is telling me that the Wildcard certificates are licensed per physical device it is installed on. This means instead of using a single wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 servers.
This does not compute in my brain and also in my mind completely defeats the purpose of a wildcard cert as I know it. Has anyone run into this before?
Thanks Blake
Blake Many vendors assign to a single IP address. When you send your CSR it is for one server only. Look at some of the public/free CAs to find some unbiased info. You could hide everything behind a proxy/loadbalancer if you want. -- ~ Andrew "lathama" Latham lathama@gmail.com http://lathama.net ~
I did and it was vendor dependent which is why I switched a year and a half ago. TTFN, Larry ------------------------------------ http://www.linkedin.com/in/llabas On Dec 27, 2012, at 11:47, Blake Pfankuch <blake@pfankuch.me> wrote:
Ok, so this might be a little off topic but I am trying to validate something a vendor is telling me and hoping some people here have expertise in this area...
I am working with a SSL certificate provider. I am trying to purchase a quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 domains. Vendor is telling me that the Wildcard certificates are licensed per physical device it is installed on. This means instead of using a single wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 servers.
This does not compute in my brain and also in my mind completely defeats the purpose of a wildcard cert as I know it. Has anyone run into this before?
Thanks Blake
On Thu, Dec 27, 2012 at 2:47 PM, Blake Pfankuch <blake@pfankuch.me> wrote:
Vendor is telling me that the Wildcard certificates are licensed per physical device it is installed on.
If you stay at a $200 hotel, you pay an extra $10 for Internet access. If you stay at a $40 motel, Internet is included. Same difference. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Thanks everyone for the quick responses. Our stuff is currently through Verisign because of the "reliability of the name" and the nature of the industry. Any suggestions for who I should look at to replace them with? I know I will be saving money, but looking to keep the name reliability as well. Thawte and GeoTrust have the same "per server" model, and looking to get away from that. Thanks! Blake -----Original Message----- From: Blake Pfankuch [mailto:blake@pfankuch.me] Sent: Thursday, December 27, 2012 12:48 PM To: NANOG (nanog@nanog.org) Subject: SSL Certificates and ... Providers Ok, so this might be a little off topic but I am trying to validate something a vendor is telling me and hoping some people here have expertise in this area... I am working with a SSL certificate provider. I am trying to purchase a quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 domains. Vendor is telling me that the Wildcard certificates are licensed per physical device it is installed on. This means instead of using a single wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 servers. This does not compute in my brain and also in my mind completely defeats the purpose of a wildcard cert as I know it. Has anyone run into this before? Thanks Blake
On Thu, Dec 27, 2012 at 3:37 PM, Blake Pfankuch <blake@pfankuch.me> wrote:
Our stuff is currently through Verisign because of the "reliability of the name" and the nature of the industry.
verisign sold this business (like 2+ years ago?), maybe it's time to find someone else with a reliable name? (who hasn't sold the business out from under you)
Yes the Verisign auth stuff is done by Symantic as of 2010. -Grant On Thursday, December 27, 2012, Christopher Morrow wrote:
Our stuff is currently through Verisign because of the "reliability of
On Thu, Dec 27, 2012 at 3:37 PM, Blake Pfankuch <blake@pfankuch.me<javascript:;>> wrote: the name" and the nature of the industry.
verisign sold this business (like 2+ years ago?), maybe it's time to find someone else with a reliable name? (who hasn't sold the business out from under you)
I've found rapidssl wildcards are generally the cheapest (~$120), and are not limited to a number of servers. In practice, neither are the other brands. Ken On 12/27/2012 1:47 PM, Blake Pfankuch wrote:
Ok, so this might be a little off topic but I am trying to validate something a vendor is telling me and hoping some people here have expertise in this area...
I am working with a SSL certificate provider. I am trying to purchase a quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 domains. Vendor is telling me that the Wildcard certificates are licensed per physical device it is installed on. This means instead of using a single wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 servers.
This does not compute in my brain and also in my mind completely defeats the purpose of a wildcard cert as I know it. Has anyone run into this before?
Thanks Blake
-- Ken Anderson
On 12/27/12, Blake Pfankuch <blake@pfankuch.me> wrote: It does make no sense, and I would say it is an unusual restriction, but a CA can put any certificate usage restriction they want in their policy, and technically, they have likely included a right to audit and issue out a revokation/CRL for any certificates not following their usage policy: a common example would be a SSL cert used to facilitate phishing. Make your X509 vendor take the language out of the agreement against the use on multiple servers, or buy from one of the many dozens of other certificate providers who issues wildcards and has no such special restriction on certificate usage in the certificate signing/usage policies. :)
Ok, so this might be a little off topic but I am trying to validate something a vendor is telling me and hoping some people here have expertise in this area...
I am working with a SSL certificate provider. I am trying to purchase a quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 [snip]
-- -JH
participants (10)
-
Andrew Latham -
Blake Pfankuch -
Christopher Morrow -
Grant Ridder -
Jimmy Hess -
John Adams -
Ken A -
Larry LaBas -
Peter Kristolaitis -
William Herrin