If you do an internet search for wildcard certificates, you’ll find a definition that reads, “a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain.” If you are new to the world of SSL/TLS certificates, you’ll think that wildcard certificates may be the answer to all your problems. Unfortunately, that’s not true in 99% of the cases. Before you add a wildcard certificate to your shopping cart or expand your usage of them, here’s a realistic perspective regarding some of the challenges and opportunities regarding wildcard certificates.
First, let’s discuss an ongoing management issue that is often glossed over. By definition, the value of wildcard certificates is that they can be deployed on many systems across subdomains. With that benefit, however, the line of ownership between the system and the wildcard certificate starts to blur. Who’s responsible for replacing the certificate on a specific system? That can be challenging to understand. Let me explain.
Generally, organizations have a Domain Name System (DNS) naming convention for internal or external certificates so the DNS name in a certificate can often help organizations figure out which person or team is responsible for maintaining the infrastructure where the named certificate is being used. But with wildcard certificates, organizations must keep track of ownership at the system level which is much harder to do.
So, what’s the cost of this ownership problem? Organizations often experience application outages when wildcard certificates expire because they don’t know all of the systems where the wildcard certificates are installed. And, a compromised wildcard certificate can pose a huge security risk, not to mention a fire drill for many parts of the organization.
All that being said, wildcard certificates do offer certain benefits to your PKI, but you should be very specific about what you plan to accomplish by using them. When you are considering using wildcard certificates, there are 4 questions you should answer:
For fair balance, there are a few limited circumstances where wildcard certificates can have a valid use case. One ideal use case, for example, is when you have a lot of internal ephemeral infrastructure that needs to communicate with itself. In this case, wildcard certificates can potentially be useful because they can speed up the time to bring that infrastructure into service, however, you will still need to implement security controls to protect your wildcard certificates. Yet, even this use case can be addressed by implementing certificate issuance processes into your DevOps pipeline.
At Venafi, we want to help solve the underlying issues that might motivate you to use wildcard certificates by making it easy for you to request and deploy other types of certificates. We believe that automation is the future for certificates and the more intelligence you build into the process, the less value a wildcard certificate offers. Take the first step in identifying your wildcard certificate exposure with our certificate discovery capabilities and start easing the hidden costs of wildcard certificate management.