Re: SSL Certificates

Jeff Woods ( jeff@delta.com )
Thu, 19 Jun 1997 09:21:55 -0400

At 01:13 AM 6/18/97 -0600, you wrote:

>How do most of you guys deal with SSL? Management here has suggested
>purchasing one SSL certificate under our ISP company name & using it for
>any business clients who wish to have secure order forms.

BAD BAD BAD! If the remote user comes to someone on YOUR server who is
using www.acme.com, and you (and the certificate) are www.isp.com, then the
remote user will get a SECURITY NOTICE when they try to get a secure page
from https://www.acme.com -- the certificates will NOT match!

You simply MUST let your customers acquire their OWN certs. Use the "Key
Manager" in IIS 3.0 to generate a key pair for the customer, and the
customer can take that key pair to Verisign to be made into a certificate
at their own expense. Otherwise, the cert is useless on the customer's site.

>I was under the
>opinion, however, that it would be preferable for each business client to
>purchase their own SSL certificate so that any Internet related CreditCard
>troubles are reflected on the client business company name & not our own.

This is yet another good reason, but not the primary one.