[SSL Observatory] Which CAs will issue a wildcard cert that also has Subject Alternative Names?
Peter Eckersley
pde at eff.org
Fri May 6 00:18:42 PDT 2011
Recently someone in charge of a fairly large HTTPS deployment complained to me
that he couldn't find a CA that would sell him a cert that simultaneously did
wildcards and SANs. I realised the Observatory was a decent way to work out
where to go shopping (the answer seemed to be, start with DigiCert and
StartCom, but there are other options).
SELECT Issuer, count(*) AS c
FROM valid_certs
WHERE `ext:X509v3 Subject Alternative Name` REGEXP "DNS.*DNS.*DNS"
AND LOCATE("CN=*", Subject)
GROUP BY Issuer
ORDER BY c desc;
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------+
| Issuer | c |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------+
| C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3 | 3523 |
| C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global CA | 1052 |
| C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global CA (2048) | 197 |
| C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA | 144 |
| OU=Organization Validation CA, O=GlobalSign, CN=GlobalSign Organization Validation CA | 45 |
| C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=PositiveSSL CA | 16 |
| C=BE, OU=Domain Validation CA, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA | 16 |
| C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware | 11 |
| DC=com, DC=microsoft, DC=corp, DC=redmond, CN=Microsoft Secure Server Authority | 10 |
| O=Cybertrust Inc, CN=Cybertrust SureServer Standard Validation CA | 7 |
| O=Dell Inc., OU=Information Technology, CN=Dell Inc. Enterprise Issuing CA3 | 6 |
| C=US, O=Google Inc, CN=Google Internet Authority | 5 |
| C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287 | 5 |
| C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High Assurance Secure Server CA | 4 |
| C=US, O=Bechtel Corporation, OU=Information Security, CN=Bechtel External iBechtel CA 1 | 4 |
| C=US, O=Equifax, OU=Equifax Secure Certificate Authority | 3 |
| C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certificates.starfieldtech.com/repository, CN=Starfield Secure Certification Authority/serialNumber=10688435 | 3 |
| C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 3 Primary Intermediate Server CA | 3 |
| C=AU, O=AusCERT, OU=Certificate Services, CN=AusCERT Server CA | 2 |
| C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, CN=USERTrust Legacy Secure Server CA | 1 |
| C=PT, O=Saphety, CN=Saphety Server 01 | 1 |
| O=RSA Security Inc., OU=KCA Services, CN=RSA Corporate Server CA, L=Bedford, ST=Massachusetts, C=US | 1 |
| C=HU, L=Budapest, O=NetLock Halozatbiztonsagi Kft., OU=Tanusitvanykiadok, CN=NetLock Expressz (Class C) Tanusitvanykiado | 1 |
| C=NL, O=TERENA, CN=TERENA SSL CA | 1 |
| C=FI, O=Sonera, CN=Sonera Class2 CA | 1 |
| C=US, O=SecureTrust Corporation, CN=SecureTrust CA | 1 |
| C=BE, O=Certipost s.a./n.v., CN=Certipost E-Trust Secondary Normalised CA for SSL and Code | 1 |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------+
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the Observatory
mailing list