As enterprises and service providers enhance their
Web sites and extranets with new technology to reach larger audiences,
server configurations have become increasingly complex. To ensure a
common, high-level standard of security across all types of configurations,
VeriSign recommends that you do not share or copy certificates among
servers.
|
| When Deploying different certificate types across a site creates the Tuesday-Wednesday problem. A site visitor may receive one kind of SSL assurance on Tuesday when shopping and a different level of SSL assurance when they return on Wednesday to purchase, eroding confidence. |
| Deploy the same type of SSL Certificate across multiple servers. If you have staggered validity periods and need to upgrade all of your SSL Certificates to the new Extended Validation Standard, contact VeriSign for assistance. |
|
| When private keys are moved among servers - by disk or by network - accountability and control decrease and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. |
| Deploy a unique certificate for each server or license a single certificate across multiple servers in appropriate configurations.
The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. VeriSign's licensing policy allows licensed certificates to be shared in the following configurations:
- Redundant server backups
- Server load balancing
- SSL accelerators |
|
| When a user connects to a Web site secured by an SSL Certificate, the client browser and the site perform an SSL handshake. At that time, the client browser confirms that the Web site URL and the common name of the certificate are the same. If they are not, the client browser will display a warning. |
| Use appropriate Common Name and organisational information to prevent warnings or error messages.
To ensure that users receive correct information and that their information is protected, VeriSign recommends that certificates are not shared in a configuration with multiple physical servers with different hostnames. |
|
| If customers violate the terms of the certificate licence, they forfeit the NetSure protection provided with their certificate. |
| Follow the terms of the certificate licence.
Due to the increased risk of private key compromise associated with copying certificates and private keys from server to server, licensing a certificate for multiple servers is less secure than deploying unique certificates. For this reason, VeriSign offers only $10,000 in NetSure warranty protection for each additional licence purchased. |
|
