The common name for my SSL Key is .mydomain.com . What common name should i get issued so that i can use a URL like https://api.mydomain.com and https://api-test.mydomain.com ?
You can create a wildcard certificate using *.mydomain.com
Somehow wildcard ssl and simple domain ssl both are same. For your SSL key concern, the only change you should is common name. Wildcard ssl requires key for *.yourdomain.tld.
PS: All SSL CA requires 2048 bit CSR key.
Here you check how it makes difference and similar.
Technical Difference:
Simple ssl and wildcard ssl carry different common name. As explained above.
Simple SSL secures only www and non-www domain name. Where wildcard secures unlimited sub-domain names.
Similar terms:
Both requires domain control verification process. DCV process is compulsory for everyone to acquire ssl certificate.
Both support same technology ssl encryption.
Both requires 2048-bit CSR key.
Related
I work on a web application with a wildcard cert -- multiple environments all as subdomains of the root domain, works pretty well.
The application is bilingual (english/french), and supports switching between the two, but the domain name remains english. Someone asked me about supporting a French domain name recently, and that sent me off into research mode.
There are apparently internationalized domain names and although the punycode domain feels pretty weird, the user experience seems ok. And there are multi-domain SSL certificates, which I guess would work if we weren't already using a wildcard certificate. Can you get a multi-domain wildcard cert so that you could accept requests on *.cats.ca and *.chats.ca (generic example of a domain name in french and english) or *.cats.com and *.gatos.com for an english/spanish site in America, where a single website host could respond to requests in SSL for subdomains of both domains?
I tried searching, didn't find much -- and I'm not totally convinced this is the right stack exchange, but most of the SSL cert questions I found were here.
There are certificates that do support multi domain wildcards. For example, this one issued by Comodo and another one issued by Digicert. You can probably check with your certificate provider on the availability and cost of such a certificate.
I agree with Anand's answer, Multi Domain Wildcard SSL certificates can protect both multiple domains and their unlimited number of sub-domains.
Domains and Sub-domains it can secure
Comodo offers 3 types of Multi domain wildcard certificates.
Comodo Multi Domain Wildcard - For Organization validation
Comodo Positive Multi-Domain Wildcard - For Domain Validation
Comodo UCC (Unified Communication) Wildcard - For Organization validation on Microsoft Exchange and OCS server.
Here's the deals for Multi Domain Wildcard certificates.
I have created a wildcard certificate that works for for xxx.domain.com but not for aaa.bbb.domain.com
when creating the certificate:
Common Name (e.g. server FQDN or YOUR name) []:*.domain.com
but it seems to not be enough.
Wildcard SSL certificate matches only one level. See
Problems with SSL and multi level subdomains
wildcard ssl certificate does not cover www version, how do I fix?
https://serverfault.com/questions/296390/ssl-domain-problem-for-signed-asterisk-certificates
https://serverfault.com/questions/645230/why-does-my-wildcard-ssl-certificate-cause-a-domain-mismatch-error-on-a-second-l
https://serverfault.com/questions/87869/ssl-certificates-for-subdomain-example-com
https://security.stackexchange.com/questions/83245/ssl-cert-for-sub-domain-com-and-www-sub-domain-com
https://serverfault.com/questions/104160/wildcard-ssl-certificate-for-second-level-subdomain
We have a local Exchange server that we are testing out. We also have a wildcard certificate and wanted to use that certificate for Exchange. We got the certificate installed correctly, but we get an error notice when Outlook connects to Exchange.
The error is:
"exchange.office.domain.com
...
The name on the security certificate is invalid or does not match the name of the site"
When I "View Certificate...", I see the correct certificate, issued to "*.domain.com"
I am not sure if the problem is that the * does not work for exchange.office, that is how we have the network setup however.
Does anyone know how we can get Exchange to work with the wildcard certificate (we do not want to buy another certificate for testing), or if the problem is the multi-host in the FQDN, how we can get around that?
Thanks for your thoughts.
I don't know if Exchange has their own rules, but for HTTPS a certificate for *.example.com does not match foo.subdomain.example.com. A wildcard is only valid for a single label and only for the leftmost label. See also https://security.stackexchange.com/questions/52478/why-does-firefox-not-trust-this-us-government-ssl-certificate/52479#52479
how we can get around that?
Your only options are to either change the hostname (or provide an alias) to match the certificate or to change the certificate to match the hostname.
Wildcard SSL Certificate can only secure first level domain name.
If you have purchased wildcard SSL certificate for 'domain.com', using wildcard you can secure '*.domain.com' sub-domains. (First Level)
If you have purchased wildcard SSL certificate for ".domain.com", using wildcard you can secure '..domain.com' sub-domains. (Second Level).
As you wants to secure "exchange.office.domain.com" , it is a second level domain name option. So to secure it you need to buy Wildcard SSL certificate for "office.domain.com".
I have domain mydomain.com. I need use subdomains such test1.mydomain.com, helloworld.mydomain.com. These subdomains just host names in IIS bindings for my main site. Users of my sites can add subdomains. Is it possible to use one certificate for all subdomains and main domain? How can I test it with self signed sertificate?
Thanks!
Typically a standard SSL Certificate is issued to a single Fully Qualified Domain Name only, which means it can be used only to secure the exact domain to which it has been issued. With the Wildcard SSL option activated you expand what's possible by receiving an SSL Certificate issued to .domain.com. So if you apply for ".mydomain.com" it will secure "anything.mydomain.com"
Not quite sure on how to do it with self-signed certificates. Hope this info helps.
You will need to use a wild-card certificate eg
http://www.rapidssl.com/buy-ssl/wildcard-ssl-certificate/index.html
Once all the domains are in effect alliasses of the main domain there should be no problem here.
I dont know much about self signing certificates - except that they seem to be more trouble than they are worth. for less than $10 you can get a cert (not wildcard) from someone like CheapSSLs and test with this if you want - it will just throw an error about the name of the domain not matching the certificate
Is it possible to get one SSL certificate *.mysubdomain.example.com and mysubdomain.example.com, I need because I am using 2 IP on my dedicated server but now I am moving to Azure on azure we can't add two https endpoint. or other solution for azure I need two https endpoint
You can purchase a wildcard SSL certificate that encrypts requests made to *.example.com. This will work for an unlimited number of third-level subdomains. To include the second-level (example.com) and forth-level (subforthlev.subthirdlev.example.com) or higher subdomains, you must find a certificate authority (CA) that allows you to include multiple subject alternate names (SANs) in the wildcard certificate. Each non third-level domain needs to be manually added as a SAN.
Edit: I've used DigiCert's wildcard certificates several times and I have not come across a browser or device that did not have their root certificate installed (see their compatibility list). DigiCert wildcard certs allow you to secure an unlimited number of subdomains regardless of the domain level. Excerpt from first link:
DigiCert WildCard ssl certificates are unique in allowing you to secure ANY subdomain of your domain, including multiple levels of subdomains with one certificate. For example, your WildCard for *.digicert.com com could include server1.sub.mail.digicert.com as a subject alternate name.
If you want your certificate to be valid for both *.mysubdomain.example.com and mysubdomain.example.com, it needs to have a Subject Alternative Name entry for both.
The *.mysubdomain.example.com wildcard expression doesn't cover mysubdomain.example.com.
These rules are defined in RFC 2818 and clarified in RFC 6125:
If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).
In practice, that's indeed how most browsers react.
It's however quite likely that a CA issuing a wildcard certificate for *.mysubdomain.example.com will also add a SAN for mysubdomain.example.com. Check with your CA.
You can use multiple SSL certificates and add them all to the same endpoint by automating the process of installing the certificates on the machine and add HTTPS bindings to IIS.
IIS 8 (Windows Server 2012) supports SNI, which enables you to add a "hostheader" to the HTTPS binding.
I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/