I have a SSL cert installed on http://example.com. I've finished a mobile version of the same site and it sits on http://mobile.example.com. I need to secure that subdomain as well so I purchased another SSL. But now I'm trying to understand how to set it up.. because I know you can only have one SSL per server, correct?
So what's the correct way to go about this? Do I need to change the original SSL to wildcard? Do I need two SSLs?
You can use a wildcard certificate or a certificate that allows multiple SANs (Subject Alt Names). How you set them up is very dependent on your web server. A wildcard certificate only works for subdomains, while SANs can be used for completely unrelated domains.
With Apache (don't know about others) you can also use two separate certificates as long as you're willing to drop support for XP-users (see e.g. http://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm for details).
Related
I have below domains, buying a single wild card certificate beneficial? Or do I need to buy separate SSL certificates.
abc.example.com.au
abc.example.com.nz
abc.api.module.example.com
abc.api.global.example.com
Do I need to consider anything, when buying the SSL for the above domain. Appreciate your inputs.
Probably a better question for ServerFault or SuperUser, but since you're here, a wildcard certificate will only work for subdomains and only one level deep, so it would not work for any of the examples you mentioned.
Example: A cert with cn=*.example.com would work with a.example.com or b.example.com, but not 1.a.example.com. See https://en.wikipedia.org/wiki/Wildcard_certificate for more details.
Also, when using a wildcard does make it simpler to manage your certificates and renewals and applying updated certs and whatnot because the generation process only has to be done once and the same files and configs can be copied to all servers. Consider though that, if there is some kind of security issue with the wildcard cert, then it would affect all servers that use that cert. So a breach on one server would affect all servers and a problem with one would require an update to all servers that use it.
For these reasons, I generally use wildcard certs for non-production systems, and individual certs for production systems.
Single Wildcard SSL Certificate will not work in your all sub-domains.
You have now 3 options.
Get two different wildcard domains
Get a Multi Domain SSL (it will allow you to add sub-domains as well)
Get a Multi Domain Wildcard SSL Certificate (combination of 100 multiple domains and unlimited number of level-1 sub-domains).
We currently have a single development environment with Cloud66. We are hoping to expand to staging and production environments which will be secured with SSL.
Is it possible to use the same wildcard certificate to secure all three environments (obviously with different names for each)?
I've added the detail below as I don't think my original question was clear enough.
Specifically what I want to know is if Cloud66 will allow a single wildcard certificate to be used to secure domains across a number of stacks or if a single certificate can only be used on a single stack.
Yes. When you order a wildcard SSL certificate you can use it to secure multiple sites assuming they each use the same base domain of the wildcard certificate.
Yes you can, Wildcard SSL certificate is used to secure multiple domain names but your main domain name will be same.
Using wildcard you can secure
www.yourdomain.com
blog.yourdomain.com
login.yourdomain.com
secure.yourdomain.com
etc.yourdomain.com.
E.g. I generated a CSR with domain: www.domain.com
If now i want to setup a SSL sub-domain with test.domain.com
Do i need to generate another CSR for the certificate installation?
Or i can just reuse the previous CSR generated for www.domain.com?
You need a new Certificate.
Wildcard certificates
The Next time you can consider buying Wildcard certificates, that will do what you describe above. I was unable to find a good describtion online ( That was not on a vendors site).
So il do my best:
Wildcard certificates allow you to buy for a whole domain like MyCompany.com, and then you can use unlimited amount of subdomains.
But there is restrictions:
1) Not all software support them, so make sure your web server and the application your gonna host does ( Dont think it will be a issue with web servers).
2) Not all client software supports it ( Mostly the issue where would epic old web browsers ( Older then IE 6 ) and Cell phones.
3) They can also support multiple physical servers
4) They are more expensive, so you should do the math.
I've got a webserver that has a single domain SSL certificate: https://secure.example.com
I also have a couple of subdomains that point to different servers:
http://www.example.com, which points to the main server.
http://subdomain.example.com which points to a completely different server.
What is the best way to add SSL to the subdomain https://subdomain.example.com
Is it possible to configure something like this with a wildcard certificate? Or is it better to purchase another single-domain certificate and install it on the seperate server?
You can get a wildcard cert but that is probably more expensive than you need and you'd need to copy your private key to each server -- which really is not recommended unless you are a crypto expert. You are better off simply purchasing two more certs for the two additional machines.
Wild card certificates only cover domains on the same server. I believe it's because the key used in the certificate is tied back to the server.
If you want to add a certificate for sites on other servers you will need specific certificates for those server/domain combinations.
Here is my scenario:
default website on IIS 6.0 is already protected by an SSL cert with common names covering the following:
domainname.com
www.domainname.com
I have a new website on the same IIS server and need to protect it with an SSL cert with the following common name:
subdomainname.domainname.com (same domainname as default)
I do not have the freedom to add a new IP address to the server. Not an infrastructure friendly request for whatever reasons.
We also have our Exchange webmail protected by another cert on another server with:
webmail.domainname.com
I do not believe I can use a wildcard cert because exchange is on a different server, correct?
Whether I can or not use a wildcard server, how can I protect the new subdomain on the main IIS server with a new cert? Do I replace the cert on the default with the new common name representing the subdomain web site and the default web site common names. Can I assign the same cert on the same server with all common names needing protection to multiple websites on IIS 6.0?
Thanks for any help in getting this resolved.
You are correct, you would need multiple signed certificates for your servers. Godaddy offers certs for single-servers only, AFAICT. DigiCert offers multi-domain, multi-server certificates. I've never used them, so I can't vouch for anything they offer, but it shows that what you want IS available in the marketplace.
You can get a single cert and use it on multiple servers so long as the DNS entries map out to the correct servers.
Go Daddy offers several cert types and they don't make it clear how to deal with this issue.
Standard (Turbo) SSL 1 domain ~$30
Standard Multiple Domain (UCC) SSL Up to 5 Domains ~$90
Standard (Turbo) Wildcard SSL ~$200
Get the 5 domain cert with
domainname.com
www.domainname.com
subdomainname.domainname.com
webmail.domainname.com
all listed on the one cert. Complete the request on the server you started the request from then use the tools built into the windows servers to copy the cert from one server to another. Doing so doesn't remove it from the first server and adds it to the second.
I did this not too long ago. My Web server is 2008 and the mail server is 2003. In that combination I had to export as a .pfx file and then import the .pfx. If you do it from 2003 to 2003 you may be able to use the copy from another server option and save manually moving the exported file around.
In my case the cert mentions "Certificate Subject Alt Name" with
Not Critical
DNS Name: www.adomain.com
DNS Name: adomain.com
DNS Name: www.adomain.com
DNS Name: mail.adomain.com
Looks like one of those lines is a duplicate but hey it works. I don't know why the cert uses the terminology of "Not Critical" to head that section.
IIS won't let you put two sites on the same IP/port combo but it will let you put the same SSL on two different sites. The secondary site will have to use something other than 443 if you don't have the option of using a different IP address.