Are Exchange wildcard certificates worth the risk?

Are Exchange wildcard certificates worth the risk?

Many Exchange shops use wildcard certificates to lower costs and add flexibility, but there are security risks, compatibility issues and potential management headaches that may outweigh those benefits.

What is a wildcard certificate?
Wildcard certificates are a type of X.509 certificate in which the Subject Alternate Name (SAN) is replaced by a wildcard, making the certificate valid for multiple machines. This lets Exchange customers use a single certificate for their root domain and for all of their first-tier sub-domains, reducing the number of certificates they need to buy.

    Requires Free Membership to View

    Login

    When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by Exchange professionals today working with Exchange, Outlook and other related technologies.

    Margie Semilof, Editorial Director

    By submitting your registration information to SearchExchange.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchExchange.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Premium Access

Register now for unlimited access to our premium content across our network of over 70 information Technology web sites.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in August 2011

It is sometimes possible to include multiple SANs in a single certificate

Wildcard certificates provide the same level of encryption as regular certificates, but they are not without risk.

Wildcard certificate security issues
A regular X.509 certificate is typically bound to either a single server or to a single domain. For example, it's common for an Exchange Server administrator to purchase an X.509 certificate to use in conjunction with his client access server (CAS). This certificate is typically tied to the CAS's fully qualified domain name, which prevents it from being used on any other machine.

Since wildcard certificates are used by multiple servers in multiple domains, the servers that share the certificate also share the same private key. This is a major security risk because if a single server is compromised, the individual who hacked the server could gain access to a private key that is valid across the entire Exchange organization.

SSL-encrypted sessions that use a wildcard certificate are not always less secure than a comparable session that's been encrypted with a normal X.509 certificate with a single SAN.

Using this key, the hacker can also configure a rogue machine to represent itself as any one of the servers on the network. Network clients will inherently trust this rogue server because it is using a private key that has previously been deemed trustworthy.

Traditional X.509 certificates are more secure than wildcards because each certificate establishes a private key that is unique to one server. That security benefit may be worth the investment.

Wildcard certificate management issues
And as you can imagine, when wildcard certificates are compromised, management headaches follow.

When a non-wildcard certificate is compromised, the certificate must be revoked and then re-issued to every server that uses it. But it isn’t that simple with wildcard certificates.

Suppose you have 100 servers that all use the same wildcard certificate. If something happens to that certificate, you must manually remove the certificate from each server, then issue a new certificate to each server. That's a lot of work.

Wildcard certificate compatibility with Exchange Server
Even though Exchange Server 2007 and Exchange 2010 fully support wildcard certificates you might run into compatibility issues.

The first issue impacts Exchange shops that use ActiveSync for mobile device connectivity. Some mobile devices -- particularly those running Windows Mobile 5.0 -- don't support SSL sessions that are encrypted with wildcard certificates. Because these devices cannot establish SSL connectivity with the CAS, they are unable to initiate ActiveSync synchronization.

Additionally, if you choose to use wildcard certificates, you must reconfigure the Autodiscover service on Exchange 2007 client access servers. If you do not reconfigure them, clients will not be able to connect. (You can find additional information about these client connectivity issues at TechNet).

ABOUT THE AUTHOR:
Brien Posey is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top