Security concerns issuing wildcard certificates to individual employees

I think you should segregate your environment. Only production certificates should be trusted on all your network. Dev and testing certificates should only be trusted on the computers where developers work. In a more secure environment you would not even use the same root CA for production and development environments.


I'm going to assume that your developers need locally trusted SSL certificates. As pointed out previously, it might be worth considering if they really do need those in the first place.

A wildcard certificate refers to a certificate with a CN or SAN on the form *.something.example.com.

The * expands to only a single label; it does not expand to multiple labels. So the above would match foo.something.example.com (* expanding to a single label) but not foo.bar.something.example.com (two labels) let alone foo.example.com (missing label).

Also keep in mind that if I recall correctly, multiple * labels are specifically disallowed in certificate SAN and CN fields. So you can't create a valid certificate for e.g. *.*.something.example.com; that would be rejected because it has multiple * in a single name. (I think this was one of the problems Stack Exchange the company ran into when working to set up network-wide HTTPS.)

Presumably, each developer workstation is named differently. So you might have developer workstations like dev033.internal.example.com, dev7g-vm2.example.com, or what have you.

So give each developer a single certificate for a single wildcard SAN under their own host's fully qualified name plus the fully qualified name of their own host. Set it up to not be allowed to use for signing other certificates (leaf certificate).

For example, give the developer who uses dev033.internal.example.com a certificate valid for only dev033.internal.example.com and *.dev033.internal.example.com.

That way, the developer is free to set up aliases to their own host (for example, api.dev033.internal.example.com and web.dev033.internal.example.com would both work with such a certificate) but can't set up any SSL for anything not under their own workstation's hostname. Presuming that you don't expose internal.example.com to any external hosts, outside of your network the developer also cannot really do anything with the certificate that they couldn't do with a self-signed certificate.

For bonus points, but not really required: sign these with an internal CA that is only used for such development (or testing, or whatever) certificates.

Tags:

Wildcard

Tls

Public Key Infrastructure

Related

What is the difference between a backdoor and a rootkit? How do mobile apps maintain such long sessions while still being considered secure? Security implication of telling the user they can't login because of too many attempts from IP Why does a SSH server need a host key-pair? Is WhatsApp or Facebook Messenger secret conversation a reasonable method for transferring passwords? Why do some sites ask for username/email and password on two separate screens? Can a website download documents, images, or other information onto my iMac without my consent or awareness? Is laptop "secure sleep" mode theoretically possible? Strange code running at startup How trustful are KeePass plugins? Is the unauthorized deletion of data considered a breach of integrity or availability? Why would distributing via Google Play be more secure than distributing APKs?

Recent Posts