SSL with CA cert w/o domain name?

Forum Moderators: phranque

Message Too Old, No Replies

SSL with CA cert w/o domain name?

SSL CN for local server

sybaritefury

12:05 am on Dec 28, 2007 (gmt 0)

I have been reading a lot about what you need for a CA to sign your cert, when you are a registered domain. I have a slightly different problem-- what if you're not a registered domain and want a signed cert? And yes, it's important that it NOT be a self-signed cert.

We are building a handheld application which will need to collect a swipe from a credit card and send the information wirelessly to a server for processing. To keep the information secure, we're using SSL.

Each customer has a server at their site, each of which must be named the same thing (let's say, myServer). So can I get a CA to give me a signed cert where the CN is myServer? And if I get one of those, am I allowed to distribute the cert to all the servers?

LifeinAsia

1:16 am on Dec 28, 2007 (gmt 0)

My understanding is that you need to have a unique certificate for each server. Why can't it be a self-signed cart?

sybaritefury

4:23 pm on Dec 28, 2007 (gmt 0)

We're communicating over SOAP, and the version of SOAP we are using can't pop up a window that asks if they want to accept. It won't auto-accept anything but a CA-signed cert.

We are trying to avoid having an extra setup step for the customer that would have to be redone every time they let their handheld battery run out :)

jtara

5:33 pm on Dec 28, 2007 (gmt 0)

It won't auto-accept anything but a CA-signed cert.

Surely, though, there's some configuration file or database table that lists the acceptable CAs.

Just create your own CA (which you can do with any Linux or Windows server), and add it to that file. No need to pay somebody else for private certificates.

sybaritefury

5:46 pm on Dec 28, 2007 (gmt 0)

Yes. There is. We can certainly *manually* install a self-signed and it works fine. But, like I said earlier...

We are trying to avoid having an extra setup step for the customer that would have to be redone every time they let their handheld battery run out :)

So does anyone actually know whether I will have to get one per server?

LifeinAsia

5:54 pm on Dec 28, 2007 (gmt 0)

According to VeriSign,

The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option.

I imagine others have similar licensing agreements.

jtara

7:18 pm on Dec 28, 2007 (gmt 0)

Yes. There is. We can certainly *manually* install a self-signed and it works fine.

I don't think you understood my comment.

I'm not talking about self-signed certificates. I'm talking about CA-signed certificates. Only you create the CA.

Your SOAP package almost certainly has a list of acceptable CAs. Otherwise, you could never add or revoke a CA, ever. That would be pretty impractical, so I have to assume that there is a list.

Create a CA. Add the CA to the list in your software.
This goes on ALL of your devices - no need to customize this for each device.

Now, create a certificate for each server, and sign it with your own CA.

The device will connect to any server signed by your CA.

For added security and control, DELETE the CAs for the public CAs (Verisign, etc.)

Now the devices will ONLY connect to a server that YOU have issued a certificate to. This is a useful way to control licensing. The server certificate expires when your license expires. The user can't simply extend use of the product by getting a publicly-signed certificate. They will have to come back to you, pay the license fee, and get a new certificate for their server.

No, you shouldn't use the same certificate on multiple servers. The whole system wasn't designed for that to happen, and it could cause all sorts of confusion and unintended side-effects. A certificate has to be issued to a particular domain name or IP address.