Skip to content

SSL certificates for public web servers

Featured Replies

I'm trying to figure out the best / most flexible way of renewing a SSL certificate.

Currently, I have one domain with a SSL certificate purchased via GoDaddy and provided via Starfish Tech. This is up for renewal.

I would like to extend the certificate to cover multiple sub-domains.

Looking at GoDaddy's site, I'm confused as they talk about "multipe domains (UCC)" and "single domains with multiple subdomains". The examples shown seem to be identical. Yet the names and prices are different. :S

So bearing in mind I would like to have:

subone.mydomain.com and subtwo.mydomain.com, what do you suggest? Those two sites are currently hosted on different VPSs (so two different IPs), but I might add more VPSs or more subdomains within a given VPS (they're all running Apache on Linux).

Suggestions of solutions or alternative providers welcome.

I could use a self-signed certificate, but I don't want the hassle of people coming back to me saying "it looks insecure, firefox complains", etc. I don't want to have to go to a proper level 2 certificate as it'll be more hassle with the company. All I need is to ensure data is encrypted.

thanks :)

So, the first option is a SAN cert, where you must explicitly declare the domains you want secured by the cert. The second is a wildcard cert covering any first level subdomains of a given domain.

In your case, go for the former - "multipe domains (UCC)".

To see a real example of a SAN cert, have a look at the cert info for https://www.skybet.com. Note in the Subject Alternative Name field it has:

DNS Name=st1.skybet.com

DNS Name=st2.skybet.com

DNS Name=Beta.skybet.com

DNS Name=www.skybet.com

So the same cert is installed on the vhosts for all of the above.

  • Author

Thanks Nick. Yes, I did mean SAN certificate.

Question: if you have to explicitly list the subdomains you want the cert to work for, then say in a few months I want to add another server, do I have to re-issue the certificate with the new dns name included? If so, does that invalidate the previous version (installed on all the other existing servers)?

Cheers :)

We were advised against using a true wildcard certificate by CESG for a public facing service, because if it is cracked then all your SSL based websites using the wildcard certificate are vulnerable and open.

  • Author

I know Manny, it is one of the downsides...

Create an account or sign in to comment

Recently Browsing 0

  • No registered users viewing this page.

Important Information

Welcome to BRISKODA. Please note the following important links Terms of Use. We have a comprehensive Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

Account

Navigation

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.