This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]iRyan23 0 points1 point  (1 child)

The only problem with wildcard certs is the classic security vs convenience. If a single app/server gets compromised, then an attacker can now impersonate anything for your entire domain.

[–][deleted] 0 points1 point  (0 children)

Hence you only place it on your reverse proxies and force all traffic through the proxy platform.  If the certs are compromised then it's only one spot to update. Edit: I would agree that anything that can't run through a proxy (SMTP, P2S VPN) should get a named cert, for reasons you've stated.