IIS 7- Can I combine EV SSL with Wild card certificates? - ssl

Our site has a lot sub-domains which we all secure with a wildcard SSL certificate. Now we want to add an EV-SSL certificate for our www sub-domain to increase security and trust in our site. The other sub-domains still have to use the wildcard certificate.
The site is configured as a single site on IIS 7 with all sub-domains listed as http(s) bindings.
Is it possible in IIS 7 to use these two certificate types on one domain?

Yes, it is possible to have two different certificates for the same domain name with the help of SNI technology and need to binding your certificates during configuration.
You need to request EV SSL certificate for your example.com which will secure both versions of the domain as www and non-www.
For subdomains security, you can apply for Wildcard SSL certificate for *.example.com
References –
https://www.ssl2buy.com/wiki/server-name-indication-sni-use-multiple-ssl-on-a-single-ip
https://support.comodo.com/index.php?/Knowledgebase/Article/View/639/0/certificate-installation-microsoft-iis-7x

No, it is not possible that you can use two SSL certificate type for same domain name. Because SSL certificate is issued to FQDN (Fully Qualified domain name).
So you can't use two SSL certificate for same domain name.
For example,
If you are using wildcard ssl certificate for blog.xyz.com then you can't take EV SSL certificate for that same domain name.

Related

Standard SSL to protect multiple subdomains

I have a domain(GoDaddy), say example.com and standard SSL certificate to protect it. The combo works fine to setup a secured website hosted in Apache2 at https://www.example.com
Can the same SSL certificate be used for more subdomains like https://api.example.com and https://learn.example.com?
Standard SSL certificate can only secure single domain name for example example.com but it can secure api.example.com, learn.example.com but for that you will have to purchase separate standard SSL certificate for each sub domain.
So in this case Wildcard SSL certificate will remain the best option to secure first level of unlimited sub domains of the main domain name (example.com) like api.example.com, learn.example.com,payment.example.com etc. etc.
If you want to protect multiple sub domains like https://api.example.com and https://learn.example.com, you need a wildcard SSL Certificate which can cover unlimited number of sub domains.
Additionally, if you want to protect both multiple domains or sub domains, you can use multi domain wildcard SSL Certificate.

NET::ERR_CERT_COMMON_NAME_INVALID - www to non-www with ssl and sub-domains [duplicate]

I bought a wildcard certificate for *.example.com. Now, I have to secure *.subdomain.example.com. Is it possible to create a sub-certificate for my wildcard-certificate?
If it is, how I can do this?
No, it is not possible. A wildcard inside a name only reflects a single label and the wildcard can only be leftmost. Thus *.*.example.org or www.*.example.org are not possible. And *.example.org will neither match example.org nor www.subdomain.example.org, only subdomain.example.org.
But you can have multiple wildcard names inside the same certificate, that is you can have *.example.org and *.subdomain.example.org inside the same certificate.
It is impossible to secure multi-level subdomains with a single wildcard certificate. If wildcard certificate issued for *.mydomain.tld, so it can secure only first-level subdomains of *.mydomain.com.
To secure your second-level subdomains, you have two choices.
Purchase another wildcard certificate for *.sub1.mydomain.tld. In that case, you need to manage two individual wildcard certificates.
You can go with a multi-domain wildcard certificate, where you can add up to 100 multiple domains or subdomains.
For example,
*.mydomain.tld
*.sub1.mydomain.tld
*.sub2.mydomain.tld
*.anydomain.com
It will secure your multiple domains and multi-level subdomains and reduce your hassle from multiple certificate management.
As per 7 year old article at https://www.digicert.com/news/2010-9-1-new-wildcard-features/ :
DigiCert Wildcard Plus certificates can secure any subdomain using
subject alternative names (SANs). A traditional wildcard certificate
for *.example.com will only secure a first-level subdomain of
example.com such as mail.example.com. DigiCert’s Wildcard Plus
certificate uses SANs to secure any subdomain of example.com,
including multi-level subdomains such as mail.internal.example.com.
With this new feature, all subdomains can be secured with a single
Wildcard Plus certificate from DigiCert. The base domain itself,
example.com, is automatically included as a SAN in every Wildcard Plus
certificate as well, which increases compatibility and protects
example.com with or without the “www.”
No, You can't create sub-certificate for your wildcard.
-> Your wildcard Certificate is for *.mydomain.tld, so as per Wildcard SSL guideline you can secure first level sub-domains. Means anything.mydomain.tld can be secured.
-> But if you want to use it to secure *.subdomain.mydomain.tld, which is for second level sub-domains, but wildcard certificate cant secure second level sub-domains.
Solution
-> You need to buy one more wildcard SSL Certificate for your second level sub-domain *.subdomain.mydomain.tld

Can i implement Wild card SSL certificate on Two Domains?

I have Wild Card SSL Certificate and i need to implement it on multiple domains. on first it is being implemented and on second i have to implement. Is it possible that i can implement the same certificate on Two Domains. Domains are hitting the same IP Address, means hosted on same server. But having different Domains first is like: https://erp.example.com and Second is http://app.example.com. Both application are differently hosted on IIS.
Please suggest.
If the certificate is a *.example.com cert, then yes, you can. That is, after all, the whole point of a wild card certificate: to support any domain combination of the base domain.
We do it ourselves.
I'm unsure if that is your actual question though.
If you have enabled your Wildcard SSL certificate for your domain *.example.com then yes you can secure both subdomains erp (.dot) example.com and app (.dot) example.com.
Below resources will help you to install Wildcard SSL certificate on IIS server very easily:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO19990
https://www.clickssl.net/blog/how-to-install-wildcard-ssl-certificate-in-iis-7
You are questioning about two domains, but actually you have two sub-domains under single domain and if you already have Wildcard SSL certificate, your all sub-domains will be protected. Wildcard SSL issued on *.example.com will automatically secure unlimited number of sub-domains. It does not really matter your sub-domains are hosted on same server or differently, you can secure all with Wildcard Certificate.
What will be secured with single Wildcard SSL;
https://app.example.com
https://erp.example.com
https://anything.example.com
Ps: Wildcard certificate will help you secure sub-domain only first level.

Generating a CSR for root domain (includes www or not?)

I am trying to set up SSL for the first time. I purchased my domain and SSL certificate from Gandi.net. Their docs say
subdomain.example.com indicates the subdomain that you want to
protect. This is the most important part. If you have a single-address
certificate to activate, you should put in the full subdomain (e.g.
foo.example.com). The www subdomain is added automatically by the CA,
for example, example.com will secure both example.com and
www.example.com If you have a wildcard certificate, you should put in
a * for the subdomain (e.g. *.example.com). Wildcard certificates also
secure the raw domain (with no subdomain).
- http://wiki.gandi.net/en/ssl/csr
I am hosting my app on Heroku and their docs say:
The Common Name field must match the secure domain. You cannot
purchase a certificate for the root domain, e.g., example.com, and
expect to secure www.example.com. The inverse is also true.
Additionally, SSL Endpoint only supports one certificate per app.
Please keep this in mind for multi-domain applications and specify a
Common Domain that matches all required domains.
- https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate
These seem to conflict. Please advise!
You'll want to get a certificate from an authority that supports the Subject Alternate Name X.509 extension.
This will let you get a domain with its Common Name set to www.mydomain.com, and an Alternate Name set to mydomain.com(as Lloeki noted, you should provide both names as alternate names).
It depends what Certificate Authority(CA) you have been choosen to purchase certificate.
Some of them provide alternate domain name including "www" like option some of them no.
As you have written above:
I am hosting my app on Heroku and their docs say:
The Common Name field must match the secure domain. You cannot
purchase a certificate for the root domain, e.g., example.com, and
expect to secure www.example.com. The inverse is also true.
Additionally, SSL Endpoint only supports one certificate per app.
Please keep this in mind for multi-domain applications and specify a
Common Domain that matches all required domains. -
https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate
It is true - because yourdomain.com and wwww.yourdomain.com are considered as different domains (multi-domain) and your certificate has to be trusted to recognize both of them. So before generating CSR string please attentively read requirements for CSR string and features provided by a CA.

SSL certificate for a subdomain hosted remotely

Scenario: Suppose www.test.com is a domain that exists and I want to handle requests for widgets.test.com on my webserver. I work with their administrator and adjust their DNS record to point widgets.test.com to an IP address on my webserver.
Question: If I want to handle https requests for that subdomain, do I purchase the SSL cert for widgets.test.com and install on my webserver? Or, does a cert have to be purchased for the top level domain and installed on the primary webserver?
It doesn't have to be purchased for the main domain, you can purchase an SSL cert for a specific subdomain. SSL certs are keyed to the exact domain that you specify, so if you purchase one for "https://*.mysite.com" that's a different cert than for "https://mysite.com".
If you want to get an SSL certificate that would cover both, you might want to look into purchasing something like a Wildcard SSL certificate.