Hello Commvault Community,
The client wanted to switch to a configuration where HTTP in the environment was supposed to be completely disabled in favor of HTTPS, but there was a problem with the certificates - a problem with the CA certificate.
The client asks if this certificate could be a wildcard as they have for the main .xyz.pl domain to use it? It is signed by Well known CA, but is generic.
Thanks&Regards,
Kamil
Best answer by Jos Meijer
The webserver, as far as I know, works like any other certificate based system and can use wildcard certificates as long as the certificate chain is complete.
My question to you though is, do you want to walk this path?
By using a wildcard you are semi-bypassing the purpose of the https certificate which is identification of the server you are connecting to. Yes the certificate chain on the webserver needs to be in place, but anyone can do this if they can get their hands on the certificate chain. A server specific certificate will lower this risk as a specific address is being validated against the certificate.
Additionally there are pro's and cons regarding certificate lifecycle management.
Yes you only need to generate new one new certificate chain every x time which is easier to manage.
But you also have a single point of failure on all systems using the wildcard certificate, if the certificate expires this will affect all sites using this certificate at the same time.
Depending on the amount of sites using the wildcard certificate it will also require more time to manage whilst performing the change towards a new version of the certificate as you are forced to change all at once. When using different certificates you can distrubute the workload over time to perform the changes. But this fully depends on your change management preference and capabilities regarding company admin resources to address such changes.
+17The webserver, as far as I know, works like any other certificate based system and can use wildcard certificates as long as the certificate chain is complete.
My question to you though is, do you want to walk this path?
By using a wildcard you are semi-bypassing the purpose of the https certificate which is identification of the server you are connecting to. Yes the certificate chain on the webserver needs to be in place, but anyone can do this if they can get their hands on the certificate chain. A server specific certificate will lower this risk as a specific address is being validated against the certificate.
Additionally there are pro's and cons regarding certificate lifecycle management.
Yes you only need to generate new one new certificate chain every x time which is easier to manage.
But you also have a single point of failure on all systems using the wildcard certificate, if the certificate expires this will affect all sites using this certificate at the same time.
Depending on the amount of sites using the wildcard certificate it will also require more time to manage whilst performing the change towards a new version of the certificate as you are forced to change all at once. When using different certificates you can distrubute the workload over time to perform the changes. But this fully depends on your change management preference and capabilities regarding company admin resources to address such changes.
Thank you for that answer. It explained a lot to me, so there is a matter of discussing internally about the necessary certificates.
Kind Regards,
Kamil
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
