Are SSL Certificates Make or Break for New Blogs

Afternoon All (or morning depending where you are),

I've recently started getting back into making blogs as something to stop me watching rubbish TV when i get in from work, my question might be a stupid one, but as this is currently more of a hobby (no ad revenue as of yet, only launched a week ago however) is having an SSL certificate make or break in terms of SEO or general traffic/bounce rate for a new blog? If the answer is yes i have no problem spending the money, i would just rather…

Are SSL Certificates Make or Break for New Blogs

Need to process certificates from 2 different CA’s across 1 connection

I have a single HTTPS connection. I am using SSL / TLSv1.2

We are changing to a new CA. For the interim, I wanted to concatenate the old CA and the new CA in my CA file. Load the new cert for the new CA. So, now I have 2 certs. 1. Old CA, 2. New CA and both CA’s concatenated with their root cert.

It seems this causes TLS to shut down and process in the clear.

How can I support this?

Multiple SSL Certificates Kubernetes

I am running a web service that can be accessed from my domain company’s name. I have setup automatic SSL certificates with Lets Encrypt as seen below.

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: basic-ingress annotations: certmanager.k8s.io/issuer: letsencrypt spec: tls: - hosts: - my.domain.net secretName: my-domain-net-tls rules: - host: my.domain.net http: paths: - backend: serviceName: frontend-service servicePort: 80-to-8080-tcp

I want to offer clients the option of serving the frontend from their own domains. What is the best way to go about this with certificates? I understand that I can setup the load balancer to use multiple secrets as shown here: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl, but I will need to be serving from more than the stated max of 10 domains.

Is there a more efficient way to go about this? What’s the industry standard for serving one frontend service from multiple domains?

Many thanks!

What is the best practice(-s) for managing many certificates?


Situation:

In our system there are a lot of certificates. Some of them are used to secure HTTPS endpoints. Many more of them are used as a means of authenticating our system to an external system (we integrate with over a dozen of other systems). Some others yet are used to authenticate external systems to our system.

All in all, we have dozens of various certificates lying about all over the place. Most of them are only found in one place – the production server that needs them. Some are checked in source control which we all agree is not a good idea, but nobody has gotten around to fixing that yet. There is no list of all (or any) of them.

Problem(s)(?)

Me and a few other colleagues feel that this is too chaotic. It feels like we should have some sort of registry where they are stored. A central place which lists them all; where you can check which one is going to expire next; and where you can restore them from when the need arises. Occasionally a certificate does expire and nobody notices it until it’s too late.

Counter-arguments

Other colleagues feel differently. Most certificates are either automatically renewed (certbot), there are notifications set in our monitoring system (Zabbix), or there are emails from 3rd parties notifying us when they expire and need to be replaced. All certificates are already backed up in the “normal” server backups which simply back up the virtual server image. And if those backups are gone too, we have bigger problems to worry about. In addition, storing the certificates elsewhere reduces security.

Question

Is there some largely agreed upon best practice here? Should we create a central certificate registry or should each certificate be found in one place and only one? Is there perhaps already some software for securely managing a list of certificates?

The difference between Subject Key Identifier and sha1Fingerprint in X509 Certificates

I have some SW that extracts certificates data and the SW utilizes OpenSSL. I am confused what is the difference between the subjectKeyIdentifier and the sha1Fingerprint. Both are hash values. My intuition is that the subjectKeyIdentifier is the hash of the public-key of the certificate and the sha1Fingerprint is the hash of the overall fields of the certificate. My research made more confused. For example, this reference says about the subjectKeyIdentifier:

This is a hash value of the SSL certificate.

This is an example of what I get from the SW:

"subjectKeyIdentifier": "A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1", "sha1Fingerprint": "E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB" 

What is the difference between the two hashes? What each hash is for?

OpenSSL – how to renew certificates in production?

Have a number of private network services deployed on different nodes outside of encrypted mesh systems, like Docker or Consul.

The services have high value and should communicate via TLS only, currently using OpenSSL.

Once the certificates are about to expire in production environment, should they be renewed manually by sys-admin or it may be automated somehow?

Is it secure to use cron tasks for this?

Hosting two SSL sites (different host name) on same server with different certificates and without ports (i.e. 443)

We have a SharePoint site https://example.com hosted on port 443.

There is another site https://anotherexample.com that should be hosted on same server and without port (i.e. 443).

Both the certificates are issued to different host names (i.e. not wildcard certificate).

How can I achieve above scenario?

I’m working on IIS 6.

Any help is much appreciated!