Skip to end of metadata
Go to start of metadata

Doc Audience: developers of applications using Public Key certificates to access services like Person Directory Service, Groups Directory Service, etc.
Doc Status: Drafty, but useful?  Not yet reviewed.

Question

If I have two apps that could be described in one of the following ways:

  • a production version and an evaluation/test version of the same app;
  • nearly identical applications, customized slightly (in data or function) for different audiences or purposes;
  • different apps (related or unrelated) that run on the same host;

should I establish a distinct DNS name and certificate/public-key-pair for each application?  Or might multiple apps share the DNS name and certificate / key-pair?

Short Answer to "One vs Multiple DNS Names and Certificates"

USE DISTINCT DNS NAMES, CERTS, KEY PAIRS: The Identity and Access Management group recommends using distinct DNS names (and certs and key pairs) to identify each application (of perhaps several) in the following situations:

  • There is a production version and an evaluation/test version of the same app.   
  • There are two or more nearly identical applications, customized slightly (in data or function) for different audiences or purposes. 
  • There are multiple different apps (related or unrelated) that run on the same host or virtual server.

Multiple instances of the same application (that run, for example, as a replicated or backup service or in a clustered environment) may share a single DNS name, key pair and client certificate to minimize unreasonable administrative overhead without compromising security objectives.

Long Answer to "One vs Multiple DNS Names and Certificates"

Using a distinct DNS name, key pair and certificate for each app is typically a best practice for the following reasons:

  1. Service/data providers (like Person Directory Service) can control the access for each app separately.  Even if that's not important now, it could be in the future, e.g., if one of the apps were to be augmented with new features not applied to the other app.
  2. You want to be able to distinguish the two apps in audit logs or transaction logs (e.g. if we were to try to help you diagnose a problem by referring to the PDS log for your app's queries, or if a compromise were being investigated by a security forensics team).
  3. You might especially want to establish separate access controls and audit identities if the apps have different security models (e.g., one was designed/protected more securely than the other, or the end-users of one app are a bigger, less well-trained, or less trustworthy group than the end-users of the other app). You might want stricter access control on the less-trustworthy app, or remove access altogether if a less secure app were to become compromised by an attacker.

If the points above are not that relevant to your apps (and some of the points above tend become moot if the apps have near identical security models and run on the same host), then it wouldn't make a whole lot of difference if you used one DNS name/cert or two. And we wouldn't refuse you access if you set it up to use one cert rather than two.

Still, possible future changes to your app, or to our environment in general, are more likely to increase the usefulness of having separate DNS names/certs, so that's what the Identity and Access Management group recommends.

  • No labels