What limitations apply to SSL Certificates?

  • bakytn

    If I buy some certificate from, say, Thawte or Verisign etc. they have only time limits right?

    Or do they also have number of connections limits? I think not, and I never met this limit. But I would like to know.

    Also, if I buy SSL Certificate from one of those, would system require the Internet access? What if the system is intended to be used only in Intranet with no public access?

  • Answers
  • Julian Knight

    No, there are no connection limits - only time limits & IP/domain address limits (typically a single address & domain).

    You need to have something that connects to the Internet if you want a certificate from them since you need to create the keys and signing file locally and send some of this to them, they then add their bit and send you something back - typically this happens using a web page but it can be done over email too.

    The information you receive back then needs to be put back onto the server. You could do this via USB stick if needed so the server doesn't need Internet access.

    But then, as @pjc50 has pointed out. If the server doesn't have Internet access, do you want to have a publicly certified certificate?

    Privately certificates are fine for testing purposes but a corporate/enterprise intranet should have a certificate issued by your enterprise PKI not a public PKI.

  • pjc50

    There is no connection limit. You need to have access to the internet to buy the certificate, but then you can move the cert and private key (this is the important item!) to a private system.

    But if you have a private system, then you can sign a certificate with itself for free; or you can set up your own certification authority within the system.

  • Related Question

    What is the true level of danger when a SSL certificate is invalid?
  • Chris Pratt

    I'm relatively tech-savvy, but I'm no security expert. To my understanding, an invalid SSL certificate is only a problem if you're going to provide some sort of potentially exploitable information to a website and you are not sure that the website you're at is truly owned by the organization you believe it to be.

    I ask because my workplace uses content filtering that makes every SSL cert invalid. The browser sees the website as originating from the content filtering server on the network rather than the actual server the website is being served from. I'm tempted to simply turn off certificate checking altogether in my browser (Firefox) because it's not doing anything for me other than creating hassle, but I wanted to check to see if there's some facet of the issue I might be missing? I'm smart enough to ensure that the website I'm visiting is the website I think I'm visiting without the confirmation of the cert, so based on my understanding, I shouldn't have any problems.

  • Related Answers
  • Michael Urvan

    Basically with that kind of proxy, your employer can see even banking information and such via SSL because they have an unencrypted copy via the proxy. Your computer is requesting a webpage from the proxy server, and then your employer's proxy server is requesting the pages from the destination on your behalf, and the proxy software gets an unencrypted copy because it is in the middle. So the proxy can see the contents of every web page you see. The only way SSL is secure is when your PC and the destination PC talk directly via SSL.

    Your browser is correctly warning you that your information is not secure. I think that the connection between the three points is still using encryption, so the whole world can't see it - just your employer.

    One note to remember, even with SSL turned on properly, your employer can still see the URLs (in the browser address bar) that you go to. Most search engines like google place a lot of information in the URL (words you searched for, etc).

  • DrNoone

    The main problem, IMHO, is that your browser (or your client's browser) is always complaining about invalid certificates. If it happens once in a while, you go and check whether is an error or not. If it happens every time you stop checking. I mean, your information could be safe from sniffing because you're encrypting the communication channel, but you may be talking with a rogue server, and that could be easily exploited.