As enterprises and service providers enhance their
Web sites and extranets with new technology to reach larger audiences,
server configurations have become increasingly complex. To ensure a
common, high-level standard of security across all types of configurations,
VeriSign recommends that you do not share or copy certificates among
servers.
| Wildcard SSL Certificate |
| Problem | A Wildcard SSL Certificate enables SSL encryption on multiple sub-domains using a single certificate as long as the domains are controlled by the same organization and share the same second-level domain name. However, sharing certificates across domains comes with risks and challenges.- If one server or sub-domain is compromised, all sub-domains may be compromised.
- If the wildcard certificate needs to be revoked, all sub-domains will need a new certificate.
- Wildcard certificates may not work seamlessly with older server-client configurations.
- VeriSign Wildcard SSL Certificates are not protected by NetSure warranty or managed through our Managed PKI for SSL Control Center.
|
| Solution | Deploy a unique certificate for each server rather than using a Wildcard Certificate. Learn more about Wildcard SSL Certificates. |
|
| When private keys are moved among servers - by disk or by network - accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. |
| Deploy a unique certificate for each server or license a single certificate across multiple servers in appropriate configurations.
The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. VeriSign's licensing policy allows licensed certificates to be shared in the following configurations:
- Redundant server backups
- Server load balancing
- SSL accelerators
See Licensing VeriSign Certificates for more information. |
|
| When a user connects to a Web site secured by an SSL Certificate, the client browser and the site perform an SSL handshake. At that time, the client browser confirms that the Web site URL and the common name of the certificate are the same. If they are not, the client browser will display a warning. |
| Use appropriate Common Name and organizational information to prevent warnings or error messages.
To ensure that users receive correct information and that their information is protected, VeriSign recommends that certificates are not shared in a configuration with multiple physical servers with different hostnames. |
|
| If customers violate the terms of the certificate license, they forfeit the NetSure protection provided with their certificate. |
| Follow the terms of the certificate license.
Due to the increased risk of private key compromise associated with copying certificates and private keys from server to server, licensing a certificate for multiple servers is less secure than deploying unique certificates. For this reason, VeriSign offers only $10,000 in NetSure warranty protection for each additional license purchased. |
