Using same wildcard SSL Certficate on different machine - ssl-certificate

Suppose I have a wildcard ssl certificate for "*.example.com", can I use the same certificate on different machines like "qa.example.com", "pp.example.com" with different IP?

Generally, with a wildcard cert, yes you can.
Wildcard certificates are generally a single certificate that can be applied to multiple servers. It would be something that you could use for QA, Dev and PP. Each server needs a certificate whether it is a wildcard one or not anyway.

Related

All domain names showing up in a single ssl certificate

I just installed a Cloudflare Origin CA ssl certificate on my server. Because I have many domains on this server, I configured the certificate to protect them all, so I can use only one certificate for all my domains (domain1.com, domain2.com, etc...).
I went to check my ssl was working properly with the service whynopadlock.com, and I realized this service can list ALL of my domain names on the server by just accessing domain1.com? Are all the domains in a certificate meant to be public, is this normal behavior and can I avoid it?
I also noticed whynopadlock.com lists some domains in the certificate that are not mine. Does it mean Cloudflare is using the same certificate for many different users?
Are all the domains in a certificate meant to be public, is this normal behavior and can I avoid it?
All certificate subject alternate names are part of the certificate and are sent to every client that tries to connect securely.
There is no way to avoid it unless you want to use separate certificates for each domain.
I also noticed whynopadlock.com lists some domains in the certificate that are not mine.
Cloudflare states that this is normal:
Are Cloudflare SSL certificates shared?
Universal SSL certificates are shared across multiple domains for
multiple customers. If certificate sharing is a concern, Cloudflare
recommends a Dedicated or Custom SSL certificate.
Note that Cloudflare (as of Feb 2019) does provide dedicated certificates if you do not want to use a shared certificate.

How can I secure all web server in a multi domain (Active Directory Forest) environment using single SSL certificate?

I have a multi-domain environment (active directory forest), e.g. subdomain1.mydomain.com, subdomain2.mydomain.com where mydomain.com is root AD domain (GC) and subdomain1 and subdomain2 are child domains under mydomain.com. In total I have four subdomains and more can be added if required.
I have web servers like server1.subdomain1.mydomain.com and server2.subdomain2.mydomain.com. I need to get an SSL certificate to secure these server and also any servers which are added in future.
My questions are:
Can I have a multi-level wildcard certificate (*.*.mydomain.com)
to secure all servers?
Do I need to have individual certificates for
each subdomains (e.g. *.subdomain1.mydomain.com,
*.subdomain2.mydomain.com)?
Is UCC certificate suitable for this requirement?
Thanks.
Can I have a multi-level wildcard certificate (..mydomain.com) to secure all servers?
No, multi-level wildcards will not be accepted by the browsers.
Do I need to have individual certificates for each subdomains (e.g. *.subdomain1.mydomain.com, *.subdomain2.mydomain.com)?
There is no need to have individual certificates. You can have a single certificate which covers multiple hosts
Is UCC certificate suitable for this requirement?
Probably yes.

Wilcard certificate with alt names

I would like to have a Wild card SSL Certificate with alternative names. I have asked the question to SSL Certificate providers and they answer that I should use a UCC certificate however the UCC did not allow me to setup multiple websites in the same IIS.
WildCard SSL Certificate can protect only single level domains such as *.domain.com, edit.domain.com. So make sure that you are trying to protect single level domains with UCC SSL certificate.
UCC certificate will allow you setup multiple website in the same IIS server. It'll allow you to reduce your cost. And more beneficial thing is, it'll free you from harassing process of multiple certificate management.

Is it possible to get one SSL certificate *.mysubdomain.example.com and mysubdomain.example.com

Is it possible to get one SSL certificate *.mysubdomain.example.com and mysubdomain.example.com, I need because I am using 2 IP on my dedicated server but now I am moving to Azure on azure we can't add two https endpoint. or other solution for azure I need two https endpoint
You can purchase a wildcard SSL certificate that encrypts requests made to *.example.com. This will work for an unlimited number of third-level subdomains. To include the second-level (example.com) and forth-level (subforthlev.subthirdlev.example.com) or higher subdomains, you must find a certificate authority (CA) that allows you to include multiple subject alternate names (SANs) in the wildcard certificate. Each non third-level domain needs to be manually added as a SAN.
Edit: I've used DigiCert's wildcard certificates several times and I have not come across a browser or device that did not have their root certificate installed (see their compatibility list). DigiCert wildcard certs allow you to secure an unlimited number of subdomains regardless of the domain level. Excerpt from first link:
DigiCert WildCard ssl certificates are unique in allowing you to secure ANY subdomain of your domain, including multiple levels of subdomains with one certificate. For example, your WildCard for *.digicert.com com could include server1.sub.mail.digicert.com as a subject alternate name.
If you want your certificate to be valid for both *.mysubdomain.example.com and mysubdomain.example.com, it needs to have a Subject Alternative Name entry for both.
The *.mysubdomain.example.com wildcard expression doesn't cover mysubdomain.example.com.
These rules are defined in RFC 2818 and clarified in RFC 6125:
If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).
In practice, that's indeed how most browsers react.
It's however quite likely that a CA issuing a wildcard certificate for *.mysubdomain.example.com will also add a SAN for mysubdomain.example.com. Check with your CA.
You can use multiple SSL certificates and add them all to the same endpoint by automating the process of installing the certificates on the machine and add HTTPS bindings to IIS.
IIS 8 (Windows Server 2012) supports SNI, which enables you to add a "hostheader" to the HTTPS binding.
I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/

SSL certificate - basic or wildcard question

I am not sure if I need a basic or wildcard certificate and how many.
1) I assume 1 certificate goes in 1 server - so if I have 2 web servers then i need 2 certificates?
2) From what I read wildcard is only needed for subdomains. But what about if i have the same main domain but just use subdomains for multilanguage? like my site is say www.xxx.com and when someone is viewing it in british english i change it to: uk-eng.xxx.com
In the above case will a basic certificate work or is this a wildcard?
Two web servers usually have different host names (if it's not a cluster). So you need protect both host names.
An HTTP certificate protects the host name, so a certificate for "www.xxx.com" is only for this domain. Wildcard allows subdomains, i.e. "*.xxx.com" allows all names e.g. "www.xxx.com" and "uk-eng.xxx.com", but more expencive, however you can use the same certificate on several servers.
One certificate is usually needed per domain, not per server (one cert can cover more than one domain, hence "usually"). For multiple subdomains you would need a wildcard certificate.
If you are not sure, the best idea is to contact CA's support and ask them what they can offer you. Different CAs have different offers for cases like yours.
JFYI: Standard single-domain certificate is usually issued for "domain.com" and "www.domain.com" (so it covers a domain and one of it's subdomains).