NSA Warns of Risks Posed by Wildcard Certificates, ALPACA Attacks

Don’t pay a heavy price for convenience

The National Security Agency recently issued guidance on the risks associated with wildcard TLS certificates and Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA) techniques.

Titled Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique, the new guidance encourages network administrators to assess their environments and ward off any unwanted risks brought in by the usage of wildcard certificates. This is also to ensure that the environments are not vulnerable to ALPACA attacks.

What is a Wildcard Certificate?

A wildcard certificate can be used by multiple sub-domains of a registered domain. Websites with wildcard certificates have an asterix (*) and a period before their domain names. For example, a domain secured by a wildcard certificate is denoted by https://*.abc.com, where the ‘*’ can be any of abc.com’s subdomains like help.abc.com, blog.abc.com, etc.

Why do organizations use wildcard certificates?

The primary reason for using wildcard certificates is to simplify management and reduce cost. When you purchase one wildcard certificate, you can use it for unlimited sub domains. This comes handy during renewal since you can just update with the new certificate. However, when things go wrong, this initial convenience disappears quickly. In the absence of stringent security measures and enhanced control, wildcard certificates are prone to phishing attacks.

At the outset, it might appear that the usage of wildcard certificates may be more suitable for smaller organizations or limited number of exposed domains. However, in case of distributed applications, securing the certificates becomes a challenge, thereby exposing organizations to Application Layer Protocols Allowing Cross-Protocol Attack or ALPACA.

Control Your Certificates Before They Go Rogue!

When you have multiple subdomains by the same certificate, compromise of one wildcard certificate will severely affect other services that make use of it for secure communication. And what about private key security? If a wildcard certificate’s private key falls in the wrong hands, attackers can impersonate any domain covered by the wildcard certificate.

When a certificate is revoked, there is a direct impact on all the servers, which use that certificate. All servers need to be updated to use the new certificate. Before a certificate expires, it needs to be replaced with a new certificate. An expired certificate will face similar challenges as a revoked one. Organizations can face severe outages if the certificate is not renewed on time.

How can organizations respond?

Organizations have two broad options. Firstly, they can secure all deployments that use wildcard certificates and automate deployment and secure the keys – typically with a soft or hardware security module (HSM) or similar key stores so that no one can access the keys. Organizations need to further ensure that there are no known or unknown vulnerabilities in all those applications, but that is difficult to achieve.

The second option is to use separate certificates for each application domain and secure keys and applications similar to the first option. However, that comes with overhead costs since certificates need to be managed manually. To counter that, organizations need to invest in an automation solution to automate deployments.

Visibility – The Cornerstone of any protection mechanism

Whether you are using a wildcard certificate or not, you need complete visibility into your certificate infrastructure to minimize the risk of outages. Smart discovery of AppViewX CERT+ discovers certificates in different ways from various sources for holistic visibility. CERT+ is a turnkey public key infrastructure (PKI) solution that includes full-featured certificate lifecycle management (CLM) and workflow automation.

CERT+ discovers certificates from various devices and applications across hybrid-cloud or multicloud environments. Unauthenticated network scans and authenticated scans of devices, certificate authority (CA) accounts, and cloud accounts are used to discover as many certificates as possible. Appropriate knobs are available to balance discovery time and pressure on the network.

Simplify security with certificate lifecycle automation

Digital certificates are the face of your enterprise online. When a customer visits your application, these certificates help to determine their first impression of your enterprise and often dictate the relationship and level of trust they will have with you going forward.

Organizations need to carefully evaluate the risks that come with deployment of same wildcard certificate across multiple applications versus any other option that promises security. Investing in the right automation tool should make it easier as you achieve unlimited possibilities with limited resources.

The AppViewX Next-Gen Machine Identity Automation Platform helps enterprise IT manage and automate the entire lifecycle of their internal and external public key infrastructure (PKI).  Our certificate lifecycle automation solution provides extensive visibility into the certificate and encryption key infrastructure, which helps protect the enterprise from outside threats.  Application, network and security engineers may self-service and initiate automation workflows that deliver compliance and true business agility.

With AppViewX CERT+, enterprises can quickly set up their internal root certifying authority (CA) as well as issuing CAs without having to upfront invest in costly hardware or complicated processes, or cumbersome PKI operations. Certificate lifecycle management (CLM) in CERT+ simplifies all certificate operations between CA and applications where certificates are used.

CERT+ simplifies the management of certificates and keys across various technologies like SSL/TLS, SSH, IoT, and code signing in varied hybrid cloud and multi-cloud deployment environments. CERT+ natively supports a long list of devices and applications for certificate provisioning and all major public and private CAs for certificate enrollment. Support for protocols like enrollment over a secure transport (EST), automatic certificate management environment (ACME), etc. especially comes in handy for high-speed certificate enrollment for IoT device manufacturing.

Download the buyer’s guide for certificate lifecycle automation

Think Visibility. Think Automation. Think Security.

Set up a free discovery workshop.

Scan QR code


  • certificate lifecycle management
  • Certificate Management
  • SSL Certificate Management

About the Author

Sanchita Chakraborti

Director, Product Marketing – AppViewX CERT+

Sanchita is a Product Marketer responsible for understanding the industry landscape, buyer personas, their pain points and translating them into compelling value propositions and messaging.

More From the Author →

Related Articles

PKI-Based Passkeys Lead The Way For A Passwordless Future

| 7 Min Read

Simplify Certificate Lifecycle Management And Build Security Into OpenShift Kubernetes Engine With AppViewX KUBE+

| 4 Min Read

The NIS2 Compliance Deadline Is Nearing. Are You Prepared?

| 7 Min Read