Sign up for our newsletter - Navigating the horizon of business technology​
Technology / Cybersecurity

Wildcard Certificate? We Questioned the Inventor

A wildcard certificate is a type of public key certificate which can be used to secure multiple subdomains of a domain, validating to the user that the domain and all its subdomains are safe and can be trusted.

Wildcard certificates have some unique qualities: when an organisation uses a wildcard certificate on a public facing web server, it can secure an unlimited number of subdomains very quickly, all with the same certificate.

Why did you create the wildcard certificate?

The main use case we created wildcard certificates for was to enable businesses to support websites as they scaled in size, as well as in other scenarios where a certificate was needed in a more complex environment. Previously, companies had to issue a new certificate for every subdomain, which proved costly and time-consuming.

George Parsons, Senior Director of Security Architects at Venafi

Wildcard certificates offered a solution to this by providing a simple way to add web servers, instead of having to manage additional key pairs and certificates to authenticate the new webservers with.

White papers from our partners

Wildcard certificates mean that servers which had previously used “www1.company.com”, “www2.company.com”, and “www3.company.com” could all use a “www*.company.com” wildcard syntax instead.

How should wildcard certificates be used by businesses?

One of the common use cases for wildcard certificates is within a DevOps environment where there is a need to quickly secure multiple subdomains, as this allows the pace of development to continue securely.

Wildcard certificates are used in much the same way as any other certificate – they validate a website and assure users there is a secure connection to a legitimate site.

However, wildcard certificates can be used across multiple subdomains, meaning businesses no longer need to issue a new certificate for every subdomain. Organisations often use wildcard certificates in a development environment to make the dev process quicker, while also securing the connections used.

Yet, the person requesting and using the wildcard certificate should know exactly what the qualified domain name is going to look like before they create that certificate, in order to ensure these certificates are not vulnerable.

What are the advantages of using wildcard certificates?

Many organisations will make use of wildcards for the time and cost savings provided – particularly to operational costs. They are cheaper to purchase but offer the same validity as other certificates. Wildcard certificates can also be used as a time saving measure, as the same certificate can validate multiple sub-domains instead of a business needing to purchase a certificate for each sub-domain.

What risks should businesses be aware of when using wildcards?

One of the primary risks of using wildcard certificates is that it can leave a business more susceptible to phishing attacks. If cyber criminals are able to infiltrate a business’s domain, they can gain privileges which allow them to create unlimited domains – all of which are validated by the existing wildcard certificate. Any illegitimate subdomains which are created can be used to host malicious websites.

These websites can then be used in phishing campaigns, or even as an exfiltration site setup by a bad actor within the corporate network.

Another risk comes when the certificate is compromised.  As a result of using wildcard certificates, remediation is extremely difficult, and it is easy for a compromised certificate to slip through the net.

The security team will need to discover all of the websites using the wildcard certificate and determine if these websites are being operated by the organisation or by a bad actor who has stolen the wildcard certificate and associated private key.

Outages also pose a risk for businesses – if the wildcard certificate is not renewed or replaced before it expires, the domain and all of the associated subdomains may become inaccessible for users.

During renewal, businesses must update each and every installation of the wildcard certificate, but often one or two of the websites using the shared certificate may be down for maintenance and are therefore not updated, leading to an outage. Finally, if a business decides to replace the wildcard certificate for a domain with a more secure EV certificate, it is likely to encounter the complex challenge of locating and securing multiple subdomains at the same time.
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.