Dynamic Signal Communities can be configured with custom domains as mentioned in this article. As a part of that process, an SSL Server Certificate is hosted by Dynamic Signal on behalf of the Customer to ensure all of the communication between members and the community remain secure. SSL Server certificates have a number of attributes associated with them including what Internet name (Domain Name) they are intended to be used in conjunction with. There are single domain, multi-domain, and wildcard certificates. This article pertains to just wildcard certificates.
To better align with industry standard web security practices, Dynamic Signal will no longer allow wildcard certificates to be provisioned for existing Customers on the DySi platform after Jan 1, 2020 and no longer support wildcard certificates thereafter with a renewal date later than December 31st 2020. Further, new Customers must adhere to the allowed certificate types listed below now as the provisioning tool does not allow wildcard certs.
Why this Action is Being Taken
Wildcard certificates, by design, allow for the termination of an unlimited number of web properties with a common domain suffix, that extends well beyond the custom domain used for a DySi community itself. As a result, there is inherently more risk in such a certificate being shared between multiple parties and used in a variety of contexts outside of the Dynamic Signal platform itself. This action is intended to reduce that risk, encourage the adherence of best practices to create a more secure web, and to allow for the provisioning process itself to be more streamlined and self-serviceable.
The decision to discontinue support of wildcard certificates was one of a number of policy changes related continual improvement in areas of platform and operational management that we committed to as we sought SOC II Type II certification earlier this year. SOC II is a common industry compliance and ongoing reporting, focused on security policies and procedures related to the safe handling of Customer data. We recently passed the certification and are looking to have the report available to interested parties under a signed Dynamic Signal Nondisclosure Agreement (NDA) in the near future.
What is Considered a Wildcard Certificate?
A wildcard certificate is any certificate in which either the common name (CN) or one of the alternative names contains an asterisk ‘*’ as a part of the domain name itself.
Allowed Certificate Types after January 1st, 2020
Although single certificate domains are and will continue to be preferred, Multi-Domain, or SAN certs will be allowed if they include no more than the greater of:
- 5 alternative names in addition to the custom community domain. <or>
- The number of communities subscribed by the Customer
Multi-domain certs continue to carry risk similar to a wildcard certificate if they reference domains that are not hosted by Dynamic Signal (such as www, vpn, webmail, etc.) which is why the number of alternative names is restrictive.
Renewal of Wildcard Certificates through Dec 31st, 2019
Although we strongly advise against it for the aforementioned reasons, existing wildcard certificates hosted on the DySi platform can be replaced through the remainder of 2019. It is important to understand that wildcard certificates will require manual provisioning, and thus Customers will not be able to take advantage of the new self-provisioning tool available now on the Manager App. Both the CSR generation and the Upload of the credentials will need to be done in coordination with the Support team. Expect processing time to be somewhere in the realm of 2-3 days. Only wildcard certificates replacing existing wildcard certificates will be allowed to be provisioned beginning June 1st, 2019. As stated previously, beginning Jan 1, 2020 we will no longer provision wildcard certificates on the platform, nor support wildcard certificates with an expiration date later than Dec 31, 2020. New wildcard certificates are not being provisioned effective July 1st, 2019.