Date: 30 November 2011
Click here for printable version
Certificate Types and Usage
The AusCERT CS provides access to the following certificate types.
SSL/TLS certficate are used for web servers or other hosts. It allows for mutual authentication by client and server. More typical implementations provide server authentication, by allowing a client to verify the authenticity of the server.
In addition, it provides confidentiality and integrity of the data sent in transit, through cryptographic mechanisms.
SSL certificates should be used where ever there is sensitive data that needs to be sent over an insecure nework (where confidentiality is required); and/or where there is a risk that the data may be modified in transit (integrity protection); and/or to prevent client hosts or other relying parties from being fooled to exchanging sensitive information with a fraudulent party that impersonates the legitimate server.
The following SSL/TLS certificates are offered through the CSM:
Standard SSL/TLS Certificate
A standard SSL/TLS certficate is normally used to secure a single
web site. When selecting a standard SSL certificate within the CSM, the common name (CN) must be a FQDN. The certificate issued may include a subject alternate name (SAN) if the CN does not begin with www. Note: If a standard AusCERT SSL Certificate is selected, any SAN entries in the supplied CSR will ignored.
This is the type you should choose for most situations.
Wildcard SSL/TLS Certificate
Wildcard SSL/TLS certficates can be used to used to secure
any number of sub-domains (host names), without needing to specify each one.
A wildcard certificate will also match the base domain.
An example of a wildcard match is as follows.
*.example.edu.au will match:
but not any of the following:
Multi-domain SSL/TLS Certificate
A multi domain certificate (MDC) is normally used to secure
a group of specific web sites. A combination of fully qualified domain names (FQDN) and wildcard domains may be specified in an MDC, but the CN must not include a wildcard domain. Alternate names, including wildcard domains, may be supplied in the SAN for the certificate. SAN entries may also contain email addresses, IP addresses, hostnames, etc. A public IP address can be used in the CN field (not just the SAN field).
Note that when including a public IP address in the SAN, POs must add and obtain approval for each SAN entry in addition to the CN. For verification of public IP addresses, refer to the verification procedures.
Please also note that systems using IE will not be able to connect to systems with IP address SANs. Firefox and Chrome are unaffected.
When ordering a multi-domain SSL certificate from the CSM, you must select the correct certificate type (AusCERT Multi Domain SSL) from the drop-down menu.
A server gated cryptography (SGC) certificate upgrades the encryption capabilities of older browsers from 40-bit encryption into full 128 or 256-bit encryption. This means your web site protects and is trusted by the highest number of internet users possible, even those using older versions of Windows and Internet Explorer.
UC Certificates (Microsoft Exchange)
Unified communications certificates (UCC) are used with Microsoft Exchange and are similar to MDC, but also include uses for telephony and other communications. SAN entries may contain email addresses, IP addresses, hostnames, etc. For more details see Comodo 2048 bit SSL certificates.
IdP/SP SSL and IdP/SP SGC Certificates
Identity provider (IdP) certificates are restricted for use in federated ID applications as part of the Australian Access Federation. For more information see the Australian Access Federation.
Intranet SSL/TLS Certificates
Intranet certificates are suitable for internal network servers and hosts. Their use is limited to private ranges of IP addresses and names (non-FQDN). Examples:
For more information about what host names and addresses are permissible for use in an Intranet environment, refer to the Comodo guide of acceptable internal domain names.
Please note that SSL certificates for internal server names and private, non-routable IP addresses will become deprecated.
Therefore, it may be best to avoid requesting these certificates in future.
See the CA/B Forum Guidelines on this topic. The use of these certificates will be eliminated by October 2016; and CAs will not be able to issue certifcates of this type with an expiry date later than 1 November 2015. From 1 October 2016, CAs will REVOKE all non-expired certificates of this type.
EV SSL/TLS Certificates
Extended validation (EV) certificates provide higher levels of assurance to relying parties that the organisation that appears in the certificate owns the specified domain. EV SSL certificates, where valid turn the address bar green; or red when invalid (TBA) to provide additional visual clues to the relying party as to whether the certificate can or should be trusted.
While participant organisations may order, request, and manage the life cycle of the EV SSL through the CSM, please note that EV SSL certificates are not covered by the AusCERT and PO agreement. Rather a separate agreement between the PO and Comodo is required and will incur a separate charge. The agreement is presented to the requester online, when the EV SSL is ordered. Comodo will invoice AusCERT on behalf of the PO and AusCERT, in turn, will issue an invoice for any EV SSL certificates ordered via the CSM. Please see the price schedule for details.
EV SSL certificates can be used for financial
transactions. Extended validation is available for the following types of AusCERT certificates:
EV SSL single domain
EV SSL multi domain
EV SSL Server Gated Cryptography (SGC) single domain
For more details see Comodo 2048 bit SSL certificates.