Aside from compromising your DigiCert account, compromising a host where the key can be exported from is the more likely approach. Having a PFX file with the key sitting around on a share (something that isn't as uncommon as you'd think unfortunately) is another possible angle.
Thanks, Brian Desmond w - 312.625.1438 | c - 312.731.3132 -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ferguson, Chris Sent: Tuesday, May 24, 2016 1:36 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] SSL Certificate That would require them to have the private key though. I spoke with Digicert a few minutes ago about this topic as I freaked out a little not understanding the risk. Their response was: - Your Digicert account would have to be compromised - They can revoke any certificate that is compromised - I can revoke any certificate compromised if able to - Best Practice: always get a duplicate wildcard certificate with a separate SAN for each host Chris Ferguson IT Manager, Infrastructure and Operations | NEPC, LLC P: +1 (617) 395-7329 | M: +1 (978) 257-9789 -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond Sent: Tuesday, May 24, 2016 1:35 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] SSL Certificate A wildcard cert asserts a certain level of assurance that the party on the other end is say contoso.com for any name under contoso.com. If you lose the cert, someone can impersonate you for any name they want as long as that cert isn't revoked. More of a keep track of where you have the cert installed thing than anything else. Ideally it lives in one place - e.g. a load balancer/reverse proxy - rather than being distributed across a ton of servers. Thanks, Brian Desmond (w) 312.625.1438 | (c) 312.731.3132 -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ferguson, Chris Sent: Tuesday, May 24, 2016 12:24 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] SSL Certificate With the duplicate, you're actually putting a name in the SAN, so I'm not sure that this particular use case exists with Digicert? Or, probably more accurately, I don't understand your risk... Chris Ferguson IT Manager, Infrastructure and Operations | NEPC, LLC P: +1 (617) 395-7329 | M: +1 (978) 257-9789 -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond Sent: Tuesday, May 24, 2016 12:59 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] SSL Certificate Just keep good track of the wildcard. The downside of losing a single name cert is somebody can go be foo.contoso.com, when you misplace a wildcard (until it gets revoked), someone can go be *.contoso.com. Thanks, Brian Desmond (w) 312.625.1438 | (c) 312.731.3132 -----Original Message----- From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ferguson, Chris Sent: Tuesday, May 24, 2016 10:44 AM To: ntsysadm@lists.myitforum.com Subject: Re: [NTSysADM] SSL Certificate Ah, yes... Another +10 for the wildcard cert - makes deployment far easier. > On May 24, 2016, at 11:40 AM, Melvin Backus <melvin.bac...@byers.com> wrote: > > +10 for Digicert. They are a bit more expensive than GoDaddy, but way cheaper > than Verisign / Thawte. I cannot possibly say enough about their support > team. I've had cases where they actually called me to help before I even > open a ticket. They also have free duplicates so if you have a need for a > wildcard, etc., it makes it really easy to deal with across multiple > platforms. > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > -----Original Message----- > From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] > On Behalf Of Ferguson, Chris > Sent: Tuesday, May 24, 2016 10:27 AM > To: ntsysadm@lists.myitforum.com > Subject: Re: [NTSysADM] SSL Certificate > > I use Digicert. They have a great customer service model. If I make a > mistake, they walk me through it without charge. > > If I have trouble installing a certificate, they help me out there too. > > >> On May 24, 2016, at 9:23 AM, Liby Philip Mathew <lmat...@path-solutions.com> >> wrote: >> >> Hi, >> I want to purchase an SSL certificate for one of our support web site. >> Which is the most preferred SSL certificate provider? What will be the >> approximate cost? >> Anything specific to be considered while purchasing the certificate? >> This is the first time I am going to purchase/use a third party certificate. >> Appreciate any assistance. >> TIA >> >> Regards >> Mathew >> Disclaimer >> >> [The information contained in this e-mail message and any attached files are >> intended solely for the use of the individual or entity to whom they are >> addressed. This transmission may contain information that is confidential, >> Path Solutions Private, or exempt from disclosure under applicable law >> and/or Path Solutions information security policy. The receiver of this >> communication shall not transmit any part of this message unless the email >> subject clearly classify it as "Public" or a written permission has been >> given by the information assets owner. If you have received this e-mail in >> error, please notify the sender immediately and delete all copies, any >> disclosure, copying, distribution, or use of the information contained >> herein is STRICTLY PROHIBITED. Path Solutions accepts no responsibility for >> any errors, omissions, computer viruses and other defects.] >> >> P Protect our planet: Do not print this email unless necessary. > > > > >
