When I try to upload an SSL certificate for my Bluemix custom domain, I receive this error message:
BXNUI2072E: The intended host name, *.<custom_domain>, is not a subject within the certificate.
How can I go about getting my certificate uploaded successfully and avoid this error?
Thanks!
I learned that the problem here was due to the certificate I was using, which was for a single, specific domain. Bluemix supports only wildcard certificates, that's a key point.
I got around this by replacing my single domain certificate with a wildcard certificate.
To generate a wildcard certificate, I needed to specify a wildcard domain by adding an asterisk (*) and a period (.) in front of my custom domain name.
In the example that follows I used OpenSSL to generate a self-signed wildcard certificate. I've generalized the example but simply specify a wildcard domain for the Common Name field.
Common Name (e.g. server FQDN or YOUR name) []:*.<custom_domain>
I tested and succesfully got this to work for both a self-signed certificate and a certificate signed by a certificate authority.
Related
We have purchased a valid wildcard SSL certificate from Entrust.
Let's say it is a wildcard certificate that covers *.ourcompany.com
I understand we can use this certificate directly on our web services.
Since, it'll be a lot of servers, we wanted to lock down a little bit the wildcard certificate.
Can we use this wildcard certificate to sign separate set of certificates for subdomains like service1.ourcompany.com, service2.ourcompany.com, etc. ? (without involving Entrust for each of those subdomains/ subservices).
Pros:
If one of those services gets compromised, it'll be limited to that service only ;
We don't have to reach out to Entrust for each of the subdomains (as there could be a lot of them) - also in terms of cost ..
In other words, I'm thinking if it's possible to treat a wildcard ssl cert as an "authority" to validate ssl certs in subdomains. (be part of SSL Certificate Chain)
Thank you.
I obtained a SSL certificate from my company's certificate authority. The Common Name value of the certificate contains a repeated domain name like so:
host.domain.domain
It should actually be:
host.domain
Not sure how this happened. Will this pose a problem when a browser tries to verify the certificate?
I have a wildcard self-signed certificate for two domains
*.abc.com
*.xyz.com
I'm access the servers https://one.abc.com and https://two.xyz.com via a third service https://three.abc.com and using the same self-signed certificate
I want to ignore the ssl warnings only once.
Note: I've broken down the issue.
Exceptions in the browser will be added only for the currently requested domain. If you want the self-signed certificate to be trusted for all domains contained in the certificate you have to explicitly add it to the trust store instead of only overriding the browser warnings.
To begin let's say I have this configuration :
mywebsite.com is related on machine 0.0.0.1 (with ssl certificate)
cloud.mywebsite.com is related on machine 0.0.0.2 (without ssl certificate)
can I ask for a new SSL certificate for "cloud.mywebsite.com" or this will create issues because of domain/subdomain ?
Thanks for the response.
Instead of asking for a new SSL Certificate, you only need to get Wildcard SSL Certificate that will secure your main domain as well as its all sub-domains. For example:
If you get Wildcard SSL certificate for *mywebsite.com then it will secure,
https://cloud.mywebite.com
https://mail.mywebsite.com
https://photos.mywebsite.com
https://anything.mywebsite.com
So, you will not have to manage multiple SSL certificates for your main domain and its sub-domain. Wildcard SSL certificate will reduce the hassle of server administrators for multiple SSL management. I suggest you to read this article, which will give you clear understanding of Wildcard SSL Certificate.
I am trying to activate HTTPS for my domain name. Chrome recognizes the SSL certificate when i go to https://www.example.com, but I get the error and it says that my SSL is not trusted. What do I need to do to get my SSL certificate to be trusted?
Instead of using a self-signed certificate, get one from a certificate provider. I'd recommend you looking at LetsEncrypt because they have a good automated support for being able to renew certificates automatically.