Ok, so this might be a little off topic but I am trying to validate something a vendor is telling me and hoping some people here have expertise in this area...
I am working with a SSL certificate provider. I am trying to purchase a quantity of wildcard SSL certificates to cover about 60 FQDN's across 4 domains. Vendor is telling me that the Wildcard certificates are licensed per physical device it is installed on. This means instead of using a single wildcard across 20 servers, I would have to buy 20 wildcard certs for 20 servers.
This does not compute in my brain and also in my mind completely defeats the purpose of a wildcard cert as I know it. Has anyone run into this before?
Yes, some SSL providers (mostly the overpriced ones) like to "license" their certs on a per-server basis. If you read the contract language, this is how it's written. However, this is strictly a contractual issue, not a technical one. It's just a way to squeeze more money out of people who don't know any better.
Speaking strictly from a technical standpoint, there is nothing at all stopping you from using the same cert/keys on as many servers as you'd like. There are SSL providers out there that are reasonable about the whole thing and sell you a cert, not a single-device-license.
Many vendors assign to a single IP address. When you send your CSR it
is for one server only. Look at some of the public/free CAs to find
some unbiased info. You could hide everything behind a
proxy/loadbalancer if you want.
Thanks everyone for the quick responses. Our stuff is currently through Verisign because of the "reliability of the name" and the nature of the industry. Any suggestions for who I should look at to replace them with? I know I will be saving money, but looking to keep the name reliability as well. Thawte and GeoTrust have the same "per server" model, and looking to get away from that.
I've found rapidssl wildcards are generally the cheapest (~$120), and
are not limited to a number of servers. In practice, neither are the
other brands.
Ken
It does make no sense, and I would say it is an unusual restriction,
but a CA can put any certificate usage restriction they want in their
policy, and technically, they have likely included a right to audit
and issue out a revokation/CRL for any certificates not following
their usage policy: a common example would be a SSL cert used to
facilitate phishing. Make your X509 vendor take the language out of
the agreement against the use on multiple servers, or buy from one
of the many dozens of other certificate providers who issues
wildcards and has no such special restriction on certificate usage in
the certificate signing/usage policies.
Ok, so this might be a little off topic but I am trying to validate
something a vendor is telling me and hoping some people here have expertise
in this area...
I am working with a SSL certificate provider. I am trying to purchase a
quantity of wildcard SSL certificates to cover about 60 FQDN's across 4
verisign sold this business (like 2+ years ago?), maybe it's time to
find someone else with a reliable name? (who hasn't sold the business
out from under you)
