Verisign Certificate

Verisign Certificate

am 14.09.2006 01:01:02 von Christy

We bought and installed "True 128-Bit SSL Certificates" package from Verisign
on our IIS server. We currently use it for our webstore. Our contractor is
developing another webstore (as addition to the exiting one) for us. They're
developing the store at their site.

They are asking us to provide the "certificate to Verisign" to them. Is this
something that I can just freely distribute (no sercurity concern) to the
contractor? Can they fake something like that at their end and then, we can
tie it up once the site is deliveried to us?

Thanks for the help.

Re: Verisign Certificate

am 14.09.2006 16:46:55 von Funkadyleik Spynwhanker

"christy" wrote in message
news:2C716C59-42DB-4DA5-B652-0B4736DC1B41@microsoft.com...
> We bought and installed "True 128-Bit SSL Certificates" package from
> Verisign
> on our IIS server. We currently use it for our webstore. Our contractor is
> developing another webstore (as addition to the exiting one) for us.
> They're
> developing the store at their site.
>
> They are asking us to provide the "certificate to Verisign" to them. Is
> this
> something that I can just freely distribute (no sercurity concern) to the
> contractor? Can they fake something like that at their end and then, we
> can
> tie it up once the site is deliveried to us?
>
> Thanks for the help.
>

Well, for one, it won't work. (So your contractors are idiots.) Certs
apply to hostnames as part of their core function. So www.hostnamme.com is
a different cert than www.hostname2.com. Only in the case where they do
strictly internal DNS to assign the _same_ hostname would the cert work.

But, there is little reason to do that, they should make their application
not care what hostname it is under anyway. Using links like
"/image/file.gif" rather than absolute ones. Or use a emporary cert they
self-issue if they absolutely can't figure out how to not make it cert
specific.

There is some security concern passing them the cert. They'd have it and be
able to spoof your site as much as they wanted until it expires. That sorta
undermines the use of the cert. There are hundreds of other companies that
do "shopping cart" development, I have personally dealt with a dozen or so,
and NEVER heard anybody do anything as stupid as ask for a cert file to use
for development.

Your results may vary, but do you really want to bank your reputation and
business on the fact that these guys (or one of their employees acting on
their own) won't do anything with it?