As enterprises and service providers enhance their Web sites and extranets with new technology to reach larger audiences, server configurations have become increasingly complex. To ensure a common, high-level standard of security across all types of configurations, VeriSign recommends that you do not share or copy certificates among servers.
Tuesday-Wednesday Problem
| Problem | Deploying different certificate types across a site creates the Tuesday-Wednesday problem. A site visitor may receive one kind of SSL assurance on Tuesday when shopping and a different level of SSL assurance when they return on Wednesday to purchase, eroding confidence. |
| Solution | Deploy the same type of SSL Certificate across multiple servers. If you have staggered validity periods and need to upgrade all of your SSL Certificates to the new Extended Validation Standard, contact VeriSign for assistance. |
Wildcard SSL Certificate
| Problem | A Wildcard SSL Certificate enables SSL encryption on multiple
sub-domains using a single certificate as long as the domains are controlled by the same organisation and share the same
second-level domain name. However, sharing certificates across domains comes with risks and challenges.
|
| Solution | Deploy a unique certificate for each server rather than using a Wildcard Certificate. Learn more about Wildcard SSL Certificates. |
Certificate Sharing
| Problem | When private keys are moved among servers - by disk or by network - accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. |
| Solution | Deploy a unique certificate for each server or licence a single certificate
across multiple servers in appropriate configurations. The VeriSign subscriber agreement prohibits customers from
using a certificate on more than one physical server or device at a time, unless the customer has purchased the
Licensed Certificate Option. VeriSign's licensing policy allows licenced certificates to be shared in the following configurations:
|
Business Identity Authentication
| Problem | When a user connects to a Web site secured by an SSL Certificate, the client browser and the site perform an SSL handshake. At that time, the client browser confirms that the Web site URL and the common name of the certificate are the same. If they are not, the client browser will display a warning. |
| Solution | Use appropriate Common Name and organisational information to prevent warnings or error messages. To ensure that users receive correct information and that their information is protected, VeriSign recommends that certificates are not shared in a configuration with multiple physical servers with different hostnames. |
NetSure Protection Plan
| Problem | If customers violate the terms of the certificate licence, they forfeit the NetSure protection provided with their certificate. |
| Solution | Follow the terms of the certificate licence. Due to the increased risk of private key compromise associated with copying certificates and private keys from server to server, licensing a certificate for multiple servers is less secure than deploying unique certificates. For this reason, VeriSign offers only US$10,000 in NetSure warranty protection for each additional licence purchased. |
Learn More
Feedback