Most organizations use certificates in some fashion. Web servers, email servers, messaging servers... everything seems to be moving in the direction of public key certificates. But certificates can be costly and confusing to manage, especially with large web farms or email-centric companies. One great solution to this problem is the use of subject alternative name (SAN) certificates.
The Shortcut Guide to Subject Alternative Name Certificates provides information about SAN certificates to show how they can be used in a variety of technologies. These special certificates allow multiple hosts to use the same certificate, avoiding the costs of obtaining, deploying, and managing multiple nearly-identical certificates. This guide will explore what SAN certificates are, how they work, and how they can help you deploy server farms more efficiently. You may even discover that you already have SAN certificates available that can be put to good use with no additional expense!
There are numerous ways to apply public key infrastructure (PKI). There are probably as many unique solutions available as there are companies to apply them to. A one-size-fits-all PKI simply does not exist. And in a similar vein, there is no perfect PKI; there is almost always a tradeoff made during the process of PKI implementation.
For example, deploying an externally managed PKI may cut costs, such as internal headcount or the deployment of intranet infrastructure servers, while incurring other costs, including monthly maintenance fees. Another, more esoteric example is key size. Many cryptographic algorithms allow an administrator to select the size of the public key used for the PKI. As you may already know, the rule is that for any cryptography, the larger you make the key, the more secure the data becomes. So many executives and IT professionals will initially decide to use the largest key possible. And if there were no downsides, that would be a great choice. However, the drawback is that intense calculations must be made every time the key is used, and particularly when the key is generated. As a result, the system becomes far more secure but far slower.
You will almost certainly have some amount of compromise in your decision because, frankly, you do not have infinite resources at your disposal. Because there is no single best PKI solution, you need to be familiar with as many available options as possible. This familiarity helps you determine the best way to address the stated needs.
This guide is provided in four chapters. Each chapter focuses on a different aspect of the concepts and practical use of SAN certificates:
Why write a four‐chapter guide about one very specific aspect of public key certificates? To put it in very simple terms, SAN certificates are amazingly powerful tools that you can use to solve important business problems inexpensively and efficiently. However, they must be used properly to realize the benefits and avoid potential drawbacks. We'll show you how to do both in this guide.
A SAN certificate is like most other certificates. It is requested with a PKCS #10 and supplied as a PKCS #7. But it has one important attribute that sets it apart from other, standard certificates. A SAN certificate has a field that specifies other domain names that can use the certificate.
Take, for example, a company that has a Web presence at Example.com. Most Internet users will open a browser and type http://www.example.com and land on the company’s home Web page. But what happens when the company wants to switch to an SSL‐restricted Web site? The company will probably redirect all requests from http://www.example.com to https://www.example.com and obtain an SSL‐enabled certificate for that Web server. So far, so good.
This chapter focuses almost exclusively on non‐technical concerns. The business value of PKI is fairly well understood. However, the options that SAN certificates offer to the PKI business proposition are not always clear. They are extremely powerful options that can make a significant difference in this infrastructure investment.
One of the most important business values that SAN certificates offer is in the area of certificate reuse. Simply put, you can use a single SAN certificate in a number of systems for several different tasks. Although that certificate might require a bit more of an initial investment, in the long run, the SAN certificate can usually save time and money by simplifying your IT investments and getting more mileage out of that single certificate
Using Existing Resources
One of the best ways to examine the business resources expended on PKI certificates is to examine the various phases of certification. There are a number of ways to describe these phases. We’ll use one that works from both a business and technical perspective, based on the certificate life cycle. The phases we’ll examine are:
In this final chapter, we will get back to the technical details by going through typical SANspecific public key infrastructure (PKI) scenarios in detail. Many of the sections in this chapter will enable you to take direct action to start using SAN certificates.
Planning for SAN Certificates
Planning a certificate strategy using SAN certificates differs significantly from a single‐use certificate strategy. Before we begin to look at implementation details, we should take a brief look at how the certificate planning differs. As you’ll see, the result is that plans can be greatly simplified.
Because SAN certificates are more flexible than single‐instance certificates, in general, we can plan to obtain fewer certificates and use those certificates in multiple locations. For example, we can show how a company might secure its Internet‐facing servers with a series of certificates in a typical PKI deployment (see Figure 4.1).
Figure 4.1: A typical Internetfacing PKI deployment
As we can see, this deployment has four servers, one of each, that will serve as our server archetypes:
By sponsoring a book with Realtime Publishers, you will connect your technology company with thousands of IT professionals who need information on the technology topic of your choice. Realtime Publishers works with only the best authors in the IT field to produce expert-level publications that appeal to and educate the IT professional audience.
Visit sponsorships.realtimepublishers.com to learn more about our wide array of sponsorship and content marketing opportunities.