x509 - Wildcard X.509 Certificates -- Do they make sense in development environments -


i started working new company. engineering company focused on hardware. don't have lot of experience big data dev/test environments. company has extensive security policies. 1 of them "absolutely no wildcard certificates". have worked in other software shops wildcard certificates commonly used in dev , test environments. advantage can spin servers , use wildcard certificate without waiting accounting department issue purchase order ca. believe understand of security issues wildcards,

  1. if 1 subdomain compromised, subdomains compromised.
  2. if revoke certificate, subdomains revoked.
  3. wildcards may not compatible on "really old" browsers , servers.
  4. single private key floating around on several servers pose security risks.
  5. some ca's void warranties wildcard certificates.

i not use wildcards production servers -- because of #4. however, cannot see above security issues problem dev , test environment. dev , test servers have internet facing ports. have usual password , multifactor security built-in. necessary ports exposed , https. data test , of servers in own domain no connection companies internal domains.

does see potential security problems or other things might missing?

i started out thinking wildcard x.509 certificates way go moderate large server/instance development environments. however, suggestions of alexp quite helpful , believe better way of approaching distribution , management of multiple environments , x.509 certificates. here description of suggestions.

you have several environments have support. each environment has several servers or instances. each server/instance requires own x.509 certificates. 

  dev1, dev2, ...  development environment   test1, test2,... test environment   stg1, stg2,...   production staging , test   prod1, prod2,... production live environment

the recommended way build private ssl certificate authority (ca). private ca issue x.509 certificates dev, test, , stg. development or test machine browser manually loaded root certificate of private ca. way browser not squawk certificate security problems. each server or instance have own unique certificate. each environment conceivably have several servers or instances have many 10's of certificates deploy , manage. use of sub-domain or qualified domain name(fqdn) helpful -- dev1.admin.mydomain.com, dev1.rest.mydomain.com, test1.admin.mydomain.com,...etc. need use fqdn common name of each certificate -- stg1.mongodb.mydomain.com example. production environment, use commercial ca such comodo, symantec, or others. fqdn environment mydomain.com, rest.mydomain.com, etc. private ca certificates free, easy create , fast deploy. commercial certificates can expensive , take more time create , deploy necessary. private ca's represents cost, security, , ease of certificate management trade-off in moderate large development environment.


-

Comments

Post a Comment

Popular posts from this blog

php - Permission denied. Laravel linux server -

when try register , send email user got error. working till yesterday. today gives me , cant figure out why. way on local testing work's. i'm stuck. please errorexception in compiled.php line 7512: file_put_contents(/var/www/html/storage/framework/views/53de219dee4f11a2db4f64a2c574ad02db5613f4.php): failed open stream: permission denied in compiled.php line 7512 @ handleexceptions->handleerror('2', 'file_put_contents(/var/www/html/storage/framework/views/53de219dee4f11a2db4f64a2c574ad02db5613f4.php): failed open stream: permission denied', '/var/www/html/bootstrap/cache/compiled.php', '7512', array('path' => '/var/www/html/storage/framework/views/53de219dee4f11a2db4f64a2c574ad02db5613f4.php', 'contents' => 'please activate account clicking on following link. <a href="<?php echo e(route('auth.activate', $token)); ?>"><?php echo e(route('auth.activate', $token)); ?
Read more

google bigquery - Delta between query execution time and Java query call to finish -

context our container cluster located @ us-east1-c we using following java library: google-cloud-bigquery, 0.9.2-beta our dataset has around 26m rows , represents ~10g all of our queries return less 100 rows grouping on specific column question we analyzed last 100 queries executed in bigquery, these executed in 2-3 seconds (we analyzed calling bq --format=prettyjson show -j jobid , end time - creation time). in our java logs though, of calls bigquery.query blocking 5-6 seconds (and 10 seconds not out of ordinary). explain systematic gap between query finish in bigquery cluster , results being available in java? know 5-6 seconds isn't astronomic, curious see if normal behaviour when using java bigquery cloud library. i didn't dig point analyzed outbound call using wireshark. our tests executed in our container cluster (kubernetes). code queryrequest request = queryrequest.newbuilder(sql) .setmaxwaittime(30000l) .setuselega
Read more

python - Pandas two dataframes multiplication? -

i have 2 data frames (a , b) a: column 1, column 2, column 3 0.1 0.5 0.7 b: row 1 5 row 2 6 row 3 7 how perform multiplication like (0.1)*5, (0.5)* 6, , (0.7)*7? in other words, how multiply value in first row of b value in first column of a, second row of b value in second column of b, , etc? you want multiply values without respect whether rows or columns. pd.series(a.values.ravel() * b.values.ravel()) 0 0.5 1 3.0 2 4.9 dtype: float64
Read more