Tip

Are Exchange wildcard certificates worth the risk?

Many Exchange shops use wildcard certificates to lower costs and add flexibility, but there are security risks, compatibility issues and potential management headaches that may outweigh those benefits.

What is a wildcard certificate?
Wildcard certificates are a type of X.509 certificate in which the Subject Alternate Name (SAN) is replaced by a wildcard, making the certificate valid for multiple machines. This lets Exchange customers use a single certificate for their root domain and for all of their first-tier sub-domains, reducing the number of certificates they need to buy.

    Requires Free Membership to View

Wildcard certificates provide the same level of encryption as regular certificates, but they are not without risk.

Wildcard certificate security issues
A regular X.509 certificate is typically bound to either a single server or to a single domain. For example, it's common for an Exchange Server administrator to purchase an X.509 certificate to use in conjunction with his client access server (CAS). This certificate is typically tied to the CAS's fully qualified domain name, which prevents it from being used on any other machine.

Since wildcard certificates are used by multiple servers in multiple domains, the servers that share the certificate also share the same private key. This is a major security risk because if a single server is compromised, the individual who hacked the server could gain access to a private key that is valid across the entire Exchange organization.

Using this key, the hacker can also configure a rogue machine to represent itself as any one of the servers on the network. Network clients will inherently trust this rogue server because it is using a private key that has previously been deemed trustworthy.

Traditional X.509 certificates are more secure than wildcards because each certificate establishes a private key that is unique to one server. That security benefit may be worth the investment.

Wildcard certificate management issues
And as you can imagine, when wildcard certificates are compromised, management headaches follow.

When a non-wildcard certificate is compromised, the certificate must be revoked and then re-issued to every server that uses it. But it isn’t that simple with wildcard certificates.

Suppose you have 100 servers that all use the same wildcard certificate. If something happens to that certificate, you must manually remove the certificate from each server, then issue a new certificate to each server. That's a lot of work.

Wildcard certificate compatibility with Exchange Server
Even though Exchange Server 2007 and Exchange 2010 fully support wildcard certificates you might run into compatibility issues.

The first issue impacts Exchange shops that use ActiveSync for mobile device connectivity. Some mobile devices -- particularly those running Windows Mobile 5.0 -- don't support SSL sessions that are encrypted with wildcard certificates. Because these devices cannot establish SSL connectivity with the CAS, they are unable to initiate ActiveSync synchronization.

Additionally, if you choose to use wildcard certificates, you must reconfigure the Autodiscover service on Exchange 2007 client access servers. If you do not reconfigure them, clients will not be able to connect. (You can find additional information about these client connectivity issues at TechNet).

ABOUT THE AUTHOR:
Brien Posey is an eight-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.

This was first published in August 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.