7

We are hosting our own secure site with a wildcard certificate. However, we are working with a marketing company that provides landing pages on subdomains of our domain, on ip addresses supplied by their isp. They might want to secure those landing pages.

So the plan might be to allow them to use our wildcard certificate on their servers.

  1. Is this a good idea?
  2. Would be be better to get another certificate for the purposes of sharing with this other company?
  3. Should they get their own certificate, since it would be hosted on their servers, and perhaps just invoice us for the cost?
Gerard ONeill
  • 173
  • 5

2 Answers2

7

I've had to do this before with Marketo and a few other firms. In these situations, build a new wildcard cert using a subdomain and send them that cert/key pair. That way if they're compromised somehow you can revoke that single cert and remove that subdomain. This is a pretty common way to get around these issues.

Example:

  • Your existing wildcard: *.company.com
  • For marketing channel: Create *.campaign.company.com (give them this)

My caveat: No marketing solution that I've worked with ever really needed a full wildcard to do their job and it's possible their administration is just lazy. Ask if there are specific names they're looking for and in that case, SAN cert.

Never let another company build a cert against your domain name. A) They may not/should not be able to unless using a horrid CA, and B) they don't need to follow your compliance requirements regarding SSL.

-Chase

  • And by build / create, you mean ask an authority for another one? This would not be a private site on either end. And is there anything wrong with just asking for another *.company.com and sharing that? Or is this to make sure that DNS compromises won't work? – Gerard ONeill Oct 19 '15 at 19:30
  • 4
    Yea, go and purchase a new one from your CA specifically for this. You want to be the only one purchasing for your domain and in control of any cert for your org, so it's safer and better control to do this part yourself. You don't want to duplicate the existing root wildcard because if it did become compromised, it exposes everything in your domain. If you use a purpose-driven subdomain, only namespaces within that subdomain would be affected... instead of everything from mail to root www. –  Oct 19 '15 at 19:35
  • A SAN cert wouldn't help if they're generating subdomains in real time to avoid DNS-based blacklisting methods such as APK's favorite `/etc/hosts`. – Damian Yerrick Oct 20 '15 at 03:30
  • Thanks, Chaseabbott -- that was a great point about control of your domain name, and I'm glad to see some thinking has been done on this (I didn't see much on the interwebs, at least at pop sites via google). – Gerard ONeill Oct 20 '15 at 13:54
3

  1. NO! You have now shared your key with someone you can't trust to keep it safe.

  2. YES! This way if their key gets compromised or your key gets compromised, the other key is safe, and so are those systems/information.

  3. YES! At this point it is still you paying the cost for the key, and them using it. Six of one, but no email the other. This would be the recommended route however as it prevents you having to send them the key somehow, and it getting lost/damaged/stolen in transmission.

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38
  • Thanks for your quick answer, Robert -- and your point about transmission. However I'm liking Chaseabbott's 'maintain control of your domain' response better. I think for more secure certs (the org based ones) this is the only way -- but that would be a different question. – Gerard ONeill Oct 20 '15 at 13:48