Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change
notification.
The "ScratchPad" page has been changed by jmcg:
http://wiki.apache.org/httpd/ScratchPad?action=diff&rev1=41&rev2=42
Comment:
trival replacements of weird characters.
Understanding Multi-Use Digital Certificates
Abstract
- With the proliferation of internal Web-based services that must be exposed to
the Internet, organizations are turning more and more to the use of SSL
certificates. However, using traditional SSL certificates can become cumbersome
and quite expensive, especially when organizations offer several
Internet-facing services. This is where multi-use certificatescertificates
that can be reused for different purposescan help. Using a single multi-use
certificate, organizations can reduce costs and simplify certificate management.
+ With the proliferation of internal Web-based services that must be exposed to
the Internet, organizations are turning more and more to the use of SSL
certificates. However, using traditional SSL certificates can become cumbersome
and quite expensive, especially when organizations offer several
Internet-facing services. This is where multi-use certificates -- certificates
that can be reused for different purposes -- can help. Using a single multi-use
certificate, organizations can reduce costs and simplify certificate management.
"'Introduction'"
- The best way to prove who you are on the Internet is to use a digital
certificate. Thats because a digital certificate relies on a trusted,
third-party authority to verify your identity. In fact, it uses a chain of
trust that begins with you and works its way up to the trusted authority that
validates who you are. This chain of trust provides verifiable Internet
security.�
+ The best way to prove who you are on the Internet is to use a digital
certificate. That's because a digital certificate relies on a trusted,
third-party authority to verify your identity. In fact, it uses a chain of
trust that begins with you and works its way up to the trusted authority that
validates who you are. This chain of trust provides verifiable Internet
security.
Take Internet user Bill for example. Bill uses a digital certificate to sign
all of his emails. This example demonstrates the concept of authenticity. The
certificate authenticates Bill as the author of the email.
- The digital certificate also verifies that Bill is the actual author and
sender of the email. This is the concept of non-repudiationby using a
certificate, you can certify with reasonable certainty that the signed document
is trusted to be from Bill or at least someone who possesses the private key
corresponding to the signing certificate.
+ The digital certificate also verifies that Bill is the actual author and
sender of the email. This is the concept of non-repudiation -- by using a
certificate, you can certify with reasonable certainty that the signed document
is trusted to be from Bill or at least someone who possesses the private key
corresponding to the signing certificate.
In addition, because Bill signs his emails with a digital certificate, the
email cannot be tampered with without invalidating the signature. This is the
concept of integrity. Because the email includes a digital signature, it cannot
be modified while in transit without the tampering being obvious to the
recipient.
- Two more security concepts are supported by digital certificates.
Availability is critical to the third-party organization that certifies that
Bill is who he claims to be. The verification service must be available when
you need to verify Bills certificate. Finally, confidentiality is provided by
the ability to encrypt data both in the content itself and in the transport
mechanism that is used to send the data to a destination on the Internet.
+ Two more security concepts are supported by digital certificates.
Availability is critical to the third-party organization that certifies that
Bill is who he claims to be. The verification service must be available when
you need to verify Bill's certificate. Finally, confidentiality is provided by
the ability to encrypt data both in the content itself and in the transport
mechanism that is used to send the data to a destination on the Internet.
- Similarly, organizations that process transactions on the Internet or that
offer Internet-based services need to rely on digital certificates to validate
that they are who they claim to be; otherwise, no one will trust their
services. Most organizations do this by adding certificates to their
Internet-facing servers. When users access a web page hosted on one of these
servers, their Web browser will automatically detect the certificate and modify
the session, from an open session using the HyperText Transfer Protocol (HTTP)
to secure HTTP (HTTPS). This will allow for the encryption of all the data
sent between the users workstation and the server. HTTPS data encryption is
provided by the Secure Sockets Layer (SSL). Basically, SSL creates an
encryption tunnel between the client and the server protecting the transfer of
data from one point to the other during the communication exchange. You know
you are using SSL when your browser displays a closed padlock in its status
bar.
+ Similarly, organizations that process transactions on the Internet or that
offer Internet-based services need to rely on digital certificates to validate
that they are who they claim to be; otherwise, no one will trust their
services. Most organizations do this by adding certificates to their
Internet-facing servers. When users access a web page hosted on one of these
servers, their Web browser will automatically detect the certificate and modify
the session, from an open session using the HyperText Transfer Protocol (HTTP)
to secure HTTP (HTTPS). This will allow for the encryption of all the data
sent between the user's workstation and the server. HTTPS data encryption is
provided by the Secure Sockets Layer (SSL). Basically, SSL creates an
encryption tunnel between the client and the server protecting the transfer of
data from one point to the other during the communication exchange. You know
you are using SSL when your browser displays a closed padlock in its status
bar.
"'Working with SSL Certificates'"
- In order to enable SSL on their external-facing servers, organizations must
purchase a certificate from a trusted certification authority for each
protected service they provide. Today, organizations can offer several services
to their end usersemail, instant messaging, mobile device management,
Web-based interactions and moreand each one of the servers providing these
services requires its own certificate.
+ In order to enable SSL on their external-facing servers, organizations must
purchase a certificate from a trusted certification authority for each
protected service they provide. Today, organizations can offer several services
to their end users -- email, instant messaging, mobile device management,
Web-based interactions and more -- and each one of the servers providing these
services requires its own certificate.
SSL certificates are tied to the unique domain name on which a service is
hosted. Embedding the domain name into the certificate is important since this
makes it possible to ensure the identity of the remote computer providing the
service by comparing the domain name being accessed to the domain name included
in the certificate itself.
Certificates are issued for a finite period, usually in 12-month increments.
Because of this, you should aim to obtain certificates that are valid for
extended periods of time. You should also aim to select static service names
because each time a service name changes, the certificate must be changed on
each server that provides the service. These strategies will reduce the
workload associated with periodic renewal and installation of certificates on
your servers.
- These problems are compounded when organizations must use different domain
names for each secure service they make available on the Internet. In fact,
organizations often find themselves in a situation where they need to use
sub-domain namesnames that use the same root name, but require a different
prefix nameto secure each of the services they offer. Because prefix names are
embedded into SSL certificates, organizations usually buy one certificate per
service. As you can imagine, this can become expensive and time-consuming to
manage, especially in organizations that run a multitude of Internet-facing
services.
+ These problems are compounded when organizations must use different domain
names for each secure service they make available on the Internet. In fact,
organizations often find themselves in a situation where they need to use
sub-domain names -- names that use the same root name, but require a different
prefix name -- to secure each of the services they offer. Because prefix names
are embedded into SSL certificates, organizations usually buy one certificate
per service. As you can imagine, this can become expensive and time-consuming
to manage, especially in organizations that run a multitude of Internet-facing
services.
Enter the multi-use SSL certificate. There are two types of multi-use
certificates:
Wildcard certificates can secure multiple sub-domains on a single unique
Fully Qualified Domain Name using a single certificate.
Multi-domain certificates can secure multiple Fully Qualified Domain Names
using a single certificate.
Each certificate can simplify management and reduce costs given the right
situation.
"'Wildcard Certificates'"
- The first type of multi-use certificate is the wildcard certificate. The name
you embed in a certificate must always follow the fully-qualified domain name
(FQDN) format. If you want a certificate for the Session Initiation Protocol
(SIP) used by instant communication servers in the VirtualSpaceShip.com domain,
the name embedded into the certificate will be SIP.VirtualSpaceShip.com. If you
want a certificate for the email service, then you would normally have to buy a
second certificate with the second service
namemail.VirtualSpaceShip.comembedded into it.
+ The first type of multi-use certificate is the wildcard certificate. The name
you embed in a certificate must always follow the fully-qualified domain name
(FQDN) format. If you want a certificate for the Session Initiation Protocol
(SIP) used by instant communication servers in the VirtualSpaceShip.com domain,
the name embedded into the certificate will be SIP.VirtualSpaceShip.com. If you
want a certificate for the email service, then you would normally have to buy a
second certificate with the second service name -- mail.VirtualSpaceShip.com --
embedded into it.
In addition, some secure service implementations require internal as well as
external validation and you use a different name for each; for example,
InternalSip.VirtualSpaceShip.com and ExternalSIP.VirtualSpaceShip.com. In this
case, you must have a certificate on each server in the internal and external
service to allow users to work unimpeded whether they are in the office or on
the road. This is the case for instant messaging infrastructures where you want
to ensure messages are encrypted whether they are internal or external. Note
that servers cannot include two certificates for the same purpose.
Wildcard certificates do not include service names. Instead, they are
standard certificates that support the use of a wildcard character to replace
the prefix name in the subject name field, for example, *.VirtualSpaceShip.com.
Using a wildcard certificate is much more practical and versatile than using
multiple single purpose certificate since the wildcard certificate can be
applied to a number of different services without requiring any updates. In
addition, you can add, change or replace services without needing to update the
certificate.
@@ -39, +39 @@
Multi-domain certificates include the standard Subject Name field which
supports a single primary service name, as well as an additional entry called
the Subject Alternative Name field which supports the additional service names.
The SAN certificate can therefore be installed on several servers and function
properly to support internal/external service delivery.
SAN certificates have the same issues as single-purpose certificates however.
Because the actual service names are embedded into the certificate, you must
make sure your services always use the same name otherwise you must change the
certificate and since the certificate is a multi-use certificate, you must
change it on each of the computers that host the service which the certificate
supports. Additionally, when you want to add services to provide further
functionality to your users, you must update the SAN certificate with the new
service names.
- Multi-domain, SAN, or UCC certificates are useful when organizations require
different root domain names to run Internet-facing services. Subject alternate
name certificates are also called Unified Communications Certificates (UCC)
since they were primarily designed to support real-time communications
infrastructures. For example, an organization providing both internal and
external unified communications services with two different domain namesfor
example, SIP.VirtualSpaceShip.com the external domain and
SIP.VirtualSpaceShip.com for the internal namewould benefit from a
multi-domain certificate because in this case, the wildcard certificate would
not work. In fact, if the organization was using wildcard certificates, two
wildcard certificates would be required because the root domain name is
different in each case.
+ Multi-domain, SAN, or UCC certificates are useful when organizations require
different root domain names to run Internet-facing services. Subject alternate
name certificates are also called Unified Communications Certificates (UCC)
since they were primarily designed to support real-time communications
infrastructures. For example, an organization providing both internal and
external unified communications services with two different domain names -- for
example, SIP.VirtualSpaceShip.com the external domain and
SIP.VirtualSpaceShip.com for the internal name -- would benefit from a
multi-domain certificate because in this case, the wildcard certificate would
not work. In fact, if the organization was using wildcard certificates, two
wildcard certificates would be required because the root domain name is
different in each case.
A single multi-domain certificate could easily support the following names
and more: www.VirtualSpaceShip.com, www.VirtualSpaceShip.ws,
www.VirtualCDVD.com, www.VirtualWorkersInSpace.com
- Multi-domain certificates are also useful for application service providers
(ASP) who host applications for multiple clients with each client using their
own domain name. By using a multi-domain certificate, ASPs can use a single
certificate to support multiple clients. Note that the site seal and
certificate Issued To will only be for the primary domain name entered in the
certificate and will not include any of the other domain names. However, the
certificate itself will include all of the domain names that have been entered
when the certificate was purchased.
+ Multi-domain certificates are also useful for application service providers
(ASP) who host applications for multiple clients with each client using their
own domain name. By using a multi-domain certificate, ASPs can use a single
certificate to support multiple clients. Note that the site seal and
certificate "Issued To" will only be for the primary domain name entered in the
certificate and will not include any of the other domain names. However, the
certificate itself will include all of the domain names that have been entered
when the certificate was purchased.
While multi-domain certificates are also useful when used to support unified
communications deployments, there are some caveats for their use:
- Multi-domain certificates do not support use of wildcard characters. For
this reason, sub-domain names must be added as a unique domain name entries in
the certificate. Each time a new domain name is added or an old one is removed
the certificate must be updated and re-deployed to each host server.
@@ -56, +56 @@
Both certificate types offer several benefits and include several features.
In addition, both are available in full authentication format only. Domain-only
authentication certificates only require the validation of the domain before
they are issued, and because of this, cannot be used with multi-use
certificates. Full authentication certificates require both the validation of
the domain itself and the validation of the business running the domain.
Because of this, full certificates are more trustworthy than domain-only
certificates. This is another reason the full authentication model is used for
multi-use certificates. Keep this in mind as you make your choice.
"'Making the Selection'"
- Multi-use certificates were developed to provide multiple secure services
originating from a single IP address. To accomplish this, these certificates
either add a subject alternate name (SAN) field to the common single-use
certificate or use a wildcard to replace the service name in the certificate.
Microsoft Exchange Server 2007 is an excellent example of this type of
requirement. The same external Exchange server can publish several different
types of services: Outlook Web Access, Outlook Anywhere Access, AutoDiscovery
configuration information, and more. Each of these services requires the
publishing of its own namefor example, OWA.VirtualSpaceShip.com,
Mail.VirtualSpaceShip.com, Autodiscover.VirtualSpaceShip.com ideally within a
single certificate.
+ Multi-use certificates were developed to provide multiple secure services
originating from a single IP address. To accomplish this, these certificates
either add a subject alternate name (SAN) field to the common single-use
certificate or use a wildcard to replace the service name in the certificate.
Microsoft Exchange Server 2007 is an excellent example of this type of
requirement. The same external Exchange server can publish several different
types of services: Outlook Web Access, Outlook Anywhere Access, AutoDiscovery
configuration information, and more. Each of these services requires the
publishing of its own name -- for example, OWA.VirtualSpaceShip.com,
Mail.VirtualSpaceShip.com, Autodiscover.VirtualSpaceShip.com -- ideally within
a single certificate.
Multi-use certificates reduce cost and simplify management by supporting the
inclusion of multiple names within the same certificate or the replacement of
service names with a wildcard. However, each multi-use certificate type should
only be used in specific situations:
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
