The Shortcut Guide to Subject Alternative Name Certificatesby Mike Danseglio
Most organizations use certificates in some fashion. Web servers, email servers, messaging servers... everything seems to be moving in the direction of public key certificates. But certificates can be costly and confusing to manage, especially with large web farms or email-centric companies. One great solution to this problem is the use of subject alternative name (SAN) certificates.
The Shortcut Guide to Subject Alternative Name Certificates provides information about SAN certificates to show how they can be used in a variety of technologies. These special certificates allow multiple hosts to use the same certificate, avoiding the costs of obtaining, deploying, and managing multiple nearly-identical certificates. This guide will explore what SAN certificates are, how they work, and how they can help you deploy server farms more efficiently. You may even discover that you already have SAN certificates available that can be put to good use with no additional expense!
Chapter 1: Introduction to Certificates
There are numerous ways to apply public key infrastructure (PKI). There are probably as many unique solutions available as there are companies to apply them to. A one-size-fits-all PKI simply does not exist. And in a similar vein, there is no perfect PKI; there is almost always a tradeoff made during the process of PKI implementation.
For example, deploying an externally managed PKI may cut costs, such as internal headcount or the deployment of intranet infrastructure servers, while incurring other costs, including monthly maintenance fees. Another, more esoteric example is key size. Many cryptographic algorithms allow an administrator to select the size of the public key used for the PKI. As you may already know, the rule is that for any cryptography, the larger you make the key, the more secure the data becomes. So many executives and IT professionals will initially decide to use the largest key possible. And if there were no downsides, that would be a great choice. However, the drawback is that intense calculations must be made every time the key is used, and particularly when the key is generated. As a result, the system becomes far more secure but far slower.
You will almost certainly have some amount of compromise in your decision because, frankly, you do not have infinite resources at your disposal. Because there is no single best PKI solution, you need to be familiar with as many available options as possible. This familiarity helps you determine the best way to address the stated needs.
This guide is provided in four chapters. Each chapter focuses on a different aspect of the concepts and practical use of SAN certificates:
- Chapter 1: Introduction to Certificates - This chapter introduces broad PKI terms that are used throughout the guide. It provides a framework for the in-depth concepts and application of SAN certificates in later chapters. Although this chapter may be considered review material for some readers, it is important to understand this information to ensure that later chapters are effective.
- Chapter 2: SAN Certificates In Depth - This chapter is dedicated to getting down into the details of a SAN certificate. It will examine the certificate structures and metadata and will compare data between SAN and non-SAN certificates. It will also compare SAN certificates to wildcard certificates to understand the distinction between two somewhat similar products.
- Chapter 3: The Business Value of SAN Certificates - Written primarily for the BDM and TDM readers, this chapter discusses the business aspect of SAN certificates. It will examine the business costs and return on investment (ROI) drivers that apply to both SAN and other similar certification strategies. This chapter supports the business and organizational elements of the solutions discussed in Chapter 2.
- Chapter 4: Planning and Implementing a SAN - Enabled Certificate Strategyâ€”This chapter discuss the details of actually implementing a SAN-enabled certificate strategy. Topics include analyzing existing systems and properly planning for a SAN certificate deployment. Ongoing operations-based tasks are also explored. This chapter is useful for the implementers in an organization, such as the IT generalist or specialist, and the planning elements apply to architects as well.
Chapter 2: SAN Certificates In-Depth
Why write a fourâ€chapter guide about one very specific aspect of public key certificates? To put it in very simple terms, SAN certificates are amazingly powerful tools that you can use to solve important business problems inexpensively and efficiently. However, they must be used properly to realize the benefits and avoid potential drawbacks. We'll show you how to do both in this guide.
A SAN certificate is like most other certificates. It is requested with a PKCS #10 and supplied as a PKCS #7. But it has one important attribute that sets it apart from other, standard certificates. A SAN certificate has a field that specifies other domain names that can use the certificate.
Take, for example, a company that has a Web presence at Example.com. Most Internet users will open a browser and type http://www.example.com and land on the companyâ€™s home Web page. But what happens when the company wants to switch to an SSLâ€restricted Web site? The company will probably redirect all requests from http://www.example.com to https://www.example.com and obtain an SSLâ€enabled certificate for that Web server. So far, so good.
Chapter 3: The Business Value of SAN Certificates
This chapter focuses almost exclusively on nonâ€technical concerns. The business value of PKI is fairly well understood. However, the options that SAN certificates offer to the PKI business proposition are not always clear. They are extremely powerful options that can make a significant difference in this infrastructure investment.
One of the most important business values that SAN certificates offer is in the area of certificate reuse. Simply put, you can use a single SAN certificate in a number of systems for several different tasks. Although that certificate might require a bit more of an initial investment, in the long run, the SAN certificate can usually save time and money by simplifying your IT investments and getting more mileage out of that single certificate
Using Existing Resources
One of the best ways to examine the business resources expended on PKI certificates is to examine the various phases of certification. There are a number of ways to describe these phases. Weâ€™ll use one that works from both a business and technical perspective, based on the certificate life cycle. The phases weâ€™ll examine are:
- Certificate request
- Certificate issuance
- Certificate deployment
- Certificate maintenance
Chapter 4: Planning and Implementing a
SANâ€Enabled Certificate Strategy
In this final chapter, we will get back to the technical details by going through typical SANspecific public key infrastructure (PKI) scenarios in detail. Many of the sections in this chapter will enable you to take direct action to start using SAN certificates.
Planning for SAN Certificates
Planning a certificate strategy using SAN certificates differs significantly from a singleâ€use certificate strategy. Before we begin to look at implementation details, we should take a brief look at how the certificate planning differs. As youâ€™ll see, the result is that plans can be greatly simplified.
Because SAN certificates are more flexible than singleâ€instance certificates, in general, we can plan to obtain fewer certificates and use those certificates in multiple locations. For example, we can show how a company might secure its Internetâ€facing servers with a series of certificates in a typical PKI deployment (see Figure 4.1).
Figure 4.1: A typical Internetfacing PKI deployment
As we can see, this deployment has four servers, one of each, that will serve as our server archetypes:
- Email server
- Eâ€commerce server
- Web server
- Realâ€time Communications (RTC) server