I would like to have a Wild card SSL Certificate with alternative names. I have asked the question to SSL Certificate providers and they answer that I should use a UCC certificate however the UCC did not allow me to setup multiple websites in the same IIS.
WildCard SSL Certificate can protect only single level domains such as *.domain.com, edit.domain.com. So make sure that you are trying to protect single level domains with UCC SSL certificate.
UCC certificate will allow you setup multiple website in the same IIS server. It'll allow you to reduce your cost. And more beneficial thing is, it'll free you from harassing process of multiple certificate management.
Related
I just installed a Cloudflare Origin CA ssl certificate on my server. Because I have many domains on this server, I configured the certificate to protect them all, so I can use only one certificate for all my domains (domain1.com, domain2.com, etc...).
I went to check my ssl was working properly with the service whynopadlock.com, and I realized this service can list ALL of my domain names on the server by just accessing domain1.com? Are all the domains in a certificate meant to be public, is this normal behavior and can I avoid it?
I also noticed whynopadlock.com lists some domains in the certificate that are not mine. Does it mean Cloudflare is using the same certificate for many different users?
Are all the domains in a certificate meant to be public, is this normal behavior and can I avoid it?
All certificate subject alternate names are part of the certificate and are sent to every client that tries to connect securely.
There is no way to avoid it unless you want to use separate certificates for each domain.
I also noticed whynopadlock.com lists some domains in the certificate that are not mine.
Cloudflare states that this is normal:
Are Cloudflare SSL certificates shared?
Universal SSL certificates are shared across multiple domains for
multiple customers. If certificate sharing is a concern, Cloudflare
recommends a Dedicated or Custom SSL certificate.
Note that Cloudflare (as of Feb 2019) does provide dedicated certificates if you do not want to use a shared certificate.
I work on a web application with a wildcard cert -- multiple environments all as subdomains of the root domain, works pretty well.
The application is bilingual (english/french), and supports switching between the two, but the domain name remains english. Someone asked me about supporting a French domain name recently, and that sent me off into research mode.
There are apparently internationalized domain names and although the punycode domain feels pretty weird, the user experience seems ok. And there are multi-domain SSL certificates, which I guess would work if we weren't already using a wildcard certificate. Can you get a multi-domain wildcard cert so that you could accept requests on *.cats.ca and *.chats.ca (generic example of a domain name in french and english) or *.cats.com and *.gatos.com for an english/spanish site in America, where a single website host could respond to requests in SSL for subdomains of both domains?
I tried searching, didn't find much -- and I'm not totally convinced this is the right stack exchange, but most of the SSL cert questions I found were here.
There are certificates that do support multi domain wildcards. For example, this one issued by Comodo and another one issued by Digicert. You can probably check with your certificate provider on the availability and cost of such a certificate.
I agree with Anand's answer, Multi Domain Wildcard SSL certificates can protect both multiple domains and their unlimited number of sub-domains.
Domains and Sub-domains it can secure
Comodo offers 3 types of Multi domain wildcard certificates.
Comodo Multi Domain Wildcard - For Organization validation
Comodo Positive Multi-Domain Wildcard - For Domain Validation
Comodo UCC (Unified Communication) Wildcard - For Organization validation on Microsoft Exchange and OCS server.
Here's the deals for Multi Domain Wildcard certificates.
I have a multi-domain environment (active directory forest), e.g. subdomain1.mydomain.com, subdomain2.mydomain.com where mydomain.com is root AD domain (GC) and subdomain1 and subdomain2 are child domains under mydomain.com. In total I have four subdomains and more can be added if required.
I have web servers like server1.subdomain1.mydomain.com and server2.subdomain2.mydomain.com. I need to get an SSL certificate to secure these server and also any servers which are added in future.
My questions are:
Can I have a multi-level wildcard certificate (*.*.mydomain.com)
to secure all servers?
Do I need to have individual certificates for
each subdomains (e.g. *.subdomain1.mydomain.com,
*.subdomain2.mydomain.com)?
Is UCC certificate suitable for this requirement?
Thanks.
Can I have a multi-level wildcard certificate (..mydomain.com) to secure all servers?
No, multi-level wildcards will not be accepted by the browsers.
Do I need to have individual certificates for each subdomains (e.g. *.subdomain1.mydomain.com, *.subdomain2.mydomain.com)?
There is no need to have individual certificates. You can have a single certificate which covers multiple hosts
Is UCC certificate suitable for this requirement?
Probably yes.
I have domain mydomain.com. I need use subdomains such test1.mydomain.com, helloworld.mydomain.com. These subdomains just host names in IIS bindings for my main site. Users of my sites can add subdomains. Is it possible to use one certificate for all subdomains and main domain? How can I test it with self signed sertificate?
Thanks!
Typically a standard SSL Certificate is issued to a single Fully Qualified Domain Name only, which means it can be used only to secure the exact domain to which it has been issued. With the Wildcard SSL option activated you expand what's possible by receiving an SSL Certificate issued to .domain.com. So if you apply for ".mydomain.com" it will secure "anything.mydomain.com"
Not quite sure on how to do it with self-signed certificates. Hope this info helps.
You will need to use a wild-card certificate eg
http://www.rapidssl.com/buy-ssl/wildcard-ssl-certificate/index.html
Once all the domains are in effect alliasses of the main domain there should be no problem here.
I dont know much about self signing certificates - except that they seem to be more trouble than they are worth. for less than $10 you can get a cert (not wildcard) from someone like CheapSSLs and test with this if you want - it will just throw an error about the name of the domain not matching the certificate
Is it possible to get one SSL certificate *.mysubdomain.example.com and mysubdomain.example.com, I need because I am using 2 IP on my dedicated server but now I am moving to Azure on azure we can't add two https endpoint. or other solution for azure I need two https endpoint
You can purchase a wildcard SSL certificate that encrypts requests made to *.example.com. This will work for an unlimited number of third-level subdomains. To include the second-level (example.com) and forth-level (subforthlev.subthirdlev.example.com) or higher subdomains, you must find a certificate authority (CA) that allows you to include multiple subject alternate names (SANs) in the wildcard certificate. Each non third-level domain needs to be manually added as a SAN.
Edit: I've used DigiCert's wildcard certificates several times and I have not come across a browser or device that did not have their root certificate installed (see their compatibility list). DigiCert wildcard certs allow you to secure an unlimited number of subdomains regardless of the domain level. Excerpt from first link:
DigiCert WildCard ssl certificates are unique in allowing you to secure ANY subdomain of your domain, including multiple levels of subdomains with one certificate. For example, your WildCard for *.digicert.com com could include server1.sub.mail.digicert.com as a subject alternate name.
If you want your certificate to be valid for both *.mysubdomain.example.com and mysubdomain.example.com, it needs to have a Subject Alternative Name entry for both.
The *.mysubdomain.example.com wildcard expression doesn't cover mysubdomain.example.com.
These rules are defined in RFC 2818 and clarified in RFC 6125:
If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).
In practice, that's indeed how most browsers react.
It's however quite likely that a CA issuing a wildcard certificate for *.mysubdomain.example.com will also add a SAN for mysubdomain.example.com. Check with your CA.
You can use multiple SSL certificates and add them all to the same endpoint by automating the process of installing the certificates on the machine and add HTTPS bindings to IIS.
IIS 8 (Windows Server 2012) supports SNI, which enables you to add a "hostheader" to the HTTPS binding.
I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/