[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Load balancer and Security Certificates

To: zimbra-hied-admins@sfu.ca
Subject: Re: Load balancer and Security Certificates
From: Rich Graves <rgraves@carleton.edu>
Date: Mon, 14 Jul 2008 13:21:52 -0500 (CDT)
In-reply-to: <487B9589.2040102@tamu.edu>

> definitely the avenue to pursue.  Our networking group wouldn't let us 
> acquire wildcard certs

I would advise against too-promiscuous use of a single *.example.edu key. If any one service is compromised, then all others are effectively unencrypted.

However, if your email has its own DNS subdomain and everything is managed by the same people in the same way behind the same loadbalancer, then go ahead.

Btw, if you are OK with potential problems with embedded devices, you can get free wildcard certs at certs.ipsca.com. The main client problems we've seen are with Java runtimes and Windows Mobile, both of which are really hard to fix at the client end. So we continue to pay for Thawte certs for the most visible services (including Zimbra), but use IPSCA for most web sites.
-- 
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-646-7079 Cell: 952-292-6529

Follow-Ups:
- Re: Load balancer and Security Certificates
  - From: Steve Hillman <hillman@sfu.ca>

References:
- Re: Load balancer and Security Certificates
  - From: Tom Golson <tgolson@tamu.edu>

Prev by Date: RE: Load balancer and Security Certificates
Next by Date: Re: Load balancer and Security Certificates
Previous by thread: RE: Load balancer and Security Certificates
Next by thread: Re: Load balancer and Security Certificates
Index(es):
- Date
- Thread