1

I work Tech. Support at a web design company. Many of our past clients are hosted by another company ("Company X") but they renew their SSL certificates through us. We sell QuickSSLs from GeoTrust. We develop in .NET so all hosting is IIS.

Company X has gone downhill since we started (then stopped) recommending them and now it's a pain to renew SSL certificates with them. For a while they charged us $50/renewal to cover their time (export CSR, install CER). They frequently move sites to new servers and say the SSL can't transfer with it (and occasionally try to sell their own SSLs). It's impossible to explain to our clients why we can't just resend the certificate to use on the new server (we only have the CSR and CER).

So instead I want to order these SSL certificates from start to finish on one of our internal IIS servers, then export a PFX and send it to Company X. If they lose it we have a copy on our end, and there are fewer steps to go wrong.

I can't find anyone else who is doing this. Is it a bad idea or just a desperate one? Is there a technical limitation I'm missing (like IIS6 to IIS7)? If your SSL vendor did this would you be put off? I can't decide if this is a bad idea or an obvious one.

Thanks SF!

WimpyProgrammer
  • 509
  • 1
  • 4
  • 13
  • I feel your pain with Company X. We're in the same boat. For 7 years their service was fantastic, but in the last 6 months it's become rotten, with a 2 week wait just to change a DNS entry. At least they didn't charge us $50 for it though. – Mark Henderson Oct 01 '09 at 05:23

2 Answers2

3

I can't find anyone else who is doing this. Is it a bad idea or just a desperate one?

I don't think it is an entirely bad idea if you have systems in place to protect the keys that you keep from being compromised. I have done this a couple times for my clients when I knew that my client wouldn't be able to create the key and I didn't trust the web host to not loose the key.

I don't think I would keep someone else's keys on a publicly accessible IIS box. I would suggest you create the keys for your clients on a machine that is behind a good firewall and is very secure.

If your SSL vendor did this would you be put off?

I would be a bit put off by this, but I know how to create my own certificates, and I don't give my keys+certificates to some hosting service.

I think it would be ok if:

  • You inform your clients that you will be keeping a copy of the key and certificate for them.
  • You do your best to make sure they understand the potential risk
  • You offer alternatives about how they could generate they key themselves or find a vendor that will re-issue a key in case of a loss.
  • You take steps to make sure they keys you key are very well protected against being compromised.

They already are trusting 'Company X' with their keys+certificate and their server so they must not be needing a really high-security setup.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • I appreciate your detailed suggestions. I'll draft an explanation for the affected clients informing them of our new practice and why we do it. Thanks! – WimpyProgrammer Oct 01 '09 at 20:47
0

Knowing how sensitive the private key is, I would be a little put off finding out that my SSL provider did this. But as long as care is taken to protect the private key while it is being transferred to the host and backed-up, there is no technical reason why you can't do this safely.

Robert
  • 1,575
  • 7
  • 7