PKI keys per service or per server?

certificate pki encryption

Solution 1:

The more ciphertext that's available, the easier it is to crack. Having said that, all security is a trade off. You need to think what are you using the certificates for? Encryption? Authentication? What would happen if there was a compromise? How does that weigh against the administration benefit of having less certificates to keep track of. You're using puppet, so some of the administrative overhead is reduced.

We use a custom root certificate and a single wildcard keypair where possible on our internal systems. This is mostly just to stop casual sniffers gaining passwords. I'm sure that a determined hacker would find a way in. Having just had our certificate expire, we've set up puppet infrastructure to distribute the key and restart services. Next year we just need to check the new keys into subversion and puppet should do the rest.

Related

MOSS 2007 cannot configure Forms Authentication using ActiveDirectoryMembershipProvider
How to get around Outlook/Exchange's Rules and Alerts 32KB limit?
service static files under nginx & HTTP-Authentication
Windows Update Agent Update Failed
Networking problems in VMWare with wireless bridge [closed]
Virtual PC (XPMode) - Setting up Loopback Adapter for guest to talk to host
Forward-sync to HDFS? (OR continue an incomplete hdfs upload?)
OpenVPN Server - CPU is pegged out
Samba setup to request password reset on first time login
Samba on Debian Lenny much slower than Windows 2008
Transparent HTTP Proxy (Windows)
Eucalyptus or OpenNebula or... for a Linux and Windows build server private cloud