0

We're using a wildcard certificate on several hosts, which right now means that we have to distribute the wildcard cert's private key to each machine, which is a security problem. On the other hand, buying a separate certificate for each new host is way too expensive for us.

Is there a way to not have the private key on each host? Can I myself create a certificate for that specific host and sign it with the wildcard certificate, or something along those lines? How is this normally handled?

futlib
  • 111
  • 1

1 Answers1

2

Most companies will allow unlimited duplicates of a wildcard that use a different csr. Digicert allows unlimited free dupes on their wildcard plus, for example.

You could sign your own certs, but no browsers would have a trust for it so it's a little pointless.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • But that would still make MITM attacks on all our connections possible if just one host is compromised, right? – futlib Nov 09 '11 at 13:04
  • 1
    Yes. This is the downside with wildcard certificates -- you only have one identity. – David Schwartz Nov 09 '11 at 14:21
  • Then I fear that wouldn't really win much for us. Not that we like the thought of having to manually request a certificate from a CA for each host, we create new ones all the time. – futlib Nov 09 '11 at 14:25