11, June 2018
Many small certificates or one big one?
As if the jungle of SSL-certificates was not hard to navigate as it is with all its combinations of levels and providers (read more here), there is also something called a “SAN” certificate. SAN stands for ”Subject Alternative Names” and is a certificate that enables the same certificate to be used on several domains/subdomains, something that would otherwise require several individual SSL-certificates.
As described in the third part of our SSL-certificate school, it is the management and renewal of an organisation’s SSL-certificates that causes the most stomach-ache for the one responsible. A SAN-certificate can often be the answer to his or her prayers since it means you only have to keep track of one certificate, with a single end date and a single supplier.
What are the advantages of a SAN-certificate versus individual certificates?
There are a great number of consolidating several “smaller” certificates by replacing them with one SAN-certificate. The primary advantage obviously being less work and less certificates to renew.
What are the potential disadvantages?
Of course there are disadvantages, otherwise everyone would be using SAN-certificates.
The primary disadvantage of using a SAN-certificate is that the certificates are all generated using the same CSR. This means that if the certificate is hacked, all SAN-certificates are affected. At the same time, the primary advantage of the SAN-certificate, the fact that you only have to renew one certificate, also its disadvantage if the renewal is neglected. If the certificate is not renewed, the certificate stops working everywhere it is being used. However, if the certificate is under control, for example managed by a trusted certificate partner, this is a small risk compared to the advantages of using a SAN-certificate.
How does one go about if one wants to start using a SAN-certificate?
Firstly, you must find out which certificates that you have and how they are currently being used.
Common usages for SSL-certificates:
- Public websites
- Internal systems
- Other services that require encrypted data traffic
In a recent project, a client of ours had 18 different SSL-certificates for internal systems and services. That meant 18 different certificates to keep track of and renew. My recommendation was that we helped them set up a new SAN-certificate that included all internal systems and services.
The same can be done for public websites. However, it is important to check if the certificate owner for the sites needs to differ on the individual sites. This is because you can only have one owner on a SAN-certificate.
Regardless, it is always a good idea to separate the certificates based on areas of usage, that way you can more easily keep track of which certificate that is being used for what.
How we can help you with you management of certificates
Our aim is to ensure the same secure management of SSL-certificates as with domain names and trademarks. For maximum protection against certificates failing because of poor management, our recommendation is to always consolidate your certificates.
Let my team of experts help you with a plan for a more secure certificate management according to the following stages:
- The analysis
In collaboration with you, we analyse your current certificate situation. Which certificates are there? From which providers? And so on. The analysis is summarised in a document containing a recommended action plan for optimizing the current certificate management.
- Creating control
Based on the action plan, we enable the client to make sure every certificate is under control, with the aim of every certificate being managed by Ports Group for total control and security.
- Ongoing certificate partnership with portfolio management
Ports Group is a gold partner of Digicert, Symantec, Geotrust and Thawte – we have the ability to provide our clients with a smooth and secure certificate partnership, with one dedicated contact and safe management.