Types of SSL Certificates
Questions and answers about different types of SSL Sever certificates
This article applies to: SSL Server Certificate
Can I request a code signing certificate?
Yes. Contact the IT Service Desk for assistance.
Can I get a certificate for a host in a non-Cornell domain?
Yes - as long as Cornell owns the domain. Send your request to the IT Service Desk.
To ensure the university's compliance with the InCommon agreement, requests for certificates outside of cornell.edu domains are subject to extra vetting and approval, by both the university and InCommon.
To begin your request, send email to firstname.lastname@example.org requesting the domain to be added, and IDM SSL admin will initiate the process of validating your domain with InCommon. After the domain is validated, you can then request a certificate for a host in that domain through normal channel.
What are Extended Validation Certificates?
Extended Validation (EV) SSL certificates are the next generation SSL certificate because they work with high security Web browsers to clearly identify a Website's organizational identity.
For example, if you use Internet Explorer 7.0, Firefox 3.0, or Opera 9.5, the address bar will turn green to identity this site as having an EV SSL certificate. A display next to the URL will toggle between the organization name and the certificate and the Certificate Authority that issued the SSL Certificate. The green bar means that a third party has validated the legitimacy of the business, the business' right to use the domain name, and the High-Assurance SSL Certificate was legitimately obtained.
Generating a CSR for an EV certificate is the same as generating the CSR for a single domain SSL certificate.
What is a Unified Communications Certificate?
A Unified Communications Certificate is a multi-domain certificate specifically designed for use with Microsoft Exchange and Microsoft Office Communications servers.
What is a multi-domain SSl certificate?
A multi-domain certificate allows you to secure a primary domain, and up to 99 additional fully qualified domains, in a single certificate. It is best for organizations that have multiple unique domains hosted on a single server.
- The domains included in multi-domain certificate do not have to have unique IPs.
- It must be reissued each time you want to add a new host/domain name to the certificate.
When generating a CSR for multiple domain certificate, enter the primary domain name in common name field. In SSL request form's Subject Alternative Names field, enter the rest of domain names that you want included in the certificate.
What is a wildcard certificate?
Use of wildcard certificates is strongly discouraged for most use cases. If possible try to make use of other certificate types such as multi-domain certificates. When you deploy a wildcard certificate and private key across multiple websites and servers, a single site compromise will result in the compromise of the entire sub domain. Also note that not all applications are compatible with wildcard certificates. In particular, many mobile applications will not work with wildcards.
Wildcard Certificates secure multiple subdomains with a single SSL Certificate. For example, you want to secure www.entrust.com, secure.entrust.com and support.entrust.com, you can use a wildcard certificate to secure all 3 sub domains under *.entrust.com.
There is a limitation on the way wildcard certificates work. This goes across the board for all Certificate Authorities. Wildcard certificates only support one level up in the fully qualified domain name.
For example, if we create a certificate for the common name of *.test.entrust.com, https://www.test.entrust.com/ will work; https://www.shop.test.entrust.com/ will not work. https://test.entrust.com will not work either.
When generating a Certificate Signing Request (CSR) for a Wildcard certificate, add an asterisk (*) to the left of the Common Name where you want to specify the wildcard.