[TriLUG] wildcard certificate question - off topic a bit

[Joseph Tate]

lo at unc.edu wrote:

> This is a little off topic though we do use apache on
> primarily linux webservers, but I am researching certificate
> options as one of our current certs will be expiring soon.
> One option under consideration is to purchase a wildcard
> certificate to cover our current systems and any future
> ones as well.  My questions are:
> 
> 1.  Has anyone had any experience with wildcard certificates
>     or had any problems with them?
> 2.  The certificate vendors all claim that most any browser
>     will work fine with a wildcard cert.  Has anyone run into
>     browsers that won't work with them?
> 
> Thanks in advance,
> Loren
> 

Without any more information on the project, I have the following to 
suggest:

1.  Wildcard certs.  Unless you have more systems than you can handle 
individually, wildcard certs from the major venders are more expensive 
than individual certs.  They still charge per machine.

2.  I haven't seen or heard of a browser that doesn't support them.

My thoughts:
Unless your potential connectees are infinite, i.e. some sort of web 
store, you probably don't need a cert from Verisign/Thawte/whomever. 
Just generate a self signed CA key, post the public key for all your 
users to import, and generate keys signed by that one.  I've got one for 
my employer to make mail connections with, I've also got one at home for 
the same purpose.  My home cert is at 
http://www.dragonstrider.com/security/cacert.pem if you'd like to import 
it.  Try it out by connecting to https://www.dragonstrider.com/.

Joseph