My company has a SSL certificate for *.mycompany.com. We use this certificate for many critical services.
Marketing team owns www.mycompany.com website (WordPress) and wants a SSL certificate for it.
Can we issue a specific certificate for www.mycompany.com?
Yes. as far as the certificate is concerned there is no relationship between different servers. You could have five different servers with five different certificates and as long as each one of them is valid there wouldn't be a problem. (it might cause a problem if the certificate changes mid-session)
You should however be aware that www.example.com would also be usable as a certificate for any of your other 'critical' services that operate on www.example.com, you could have a security issue there.
Related
I develop a website with Symfony2 and I put it in HTTPS.
I have several questions:
The only way to don't have an error message on my browser when I go to my website is to have an SSL certificate?
How the installation of the SSL certificate on a website works?
Verisign offers SSL certificates from 450€/year ( http://www.symantec.com/fr/fr/page.jsp?id=compare-ssl-certificates ). It's quite expensive. Is there other good solutions to have a cheaper certificate?
If your site is not shop or something commercial, you can get free cert at startssl.com
See awesome tutorail
(Installing certificate in nginx is almost the same with apache)
UPD
Now use letsencrypt :)
Certificates tell the client you can be trusted. Web browsers come loaded with trusted keys from third parties. Your browser checks the key of the cert coming in and if it is in the list it allows SSL connection (if the IP address in the cert etc is correct). This is why it costs as no doubt the cert providers have their own expenses to be added to browsers and to turn a profit etc.
You can of course produce you own certificate but they won't be recognised by your clients machine. The user then has to explicitly accept the cert - some browsers like chrome make this hard as it is a security risk.
Google should help you find the best cert deals from trusted providers.
Your hosting provider should be able to help you set up your cert. If your self hosting that should be its own question as it could have different answers depending on your set up.
I have a VPS, and I am planning to run a word press instance on it. I want to host sites for different and entirely separate businesses. However, if possible we do not want to pay for a separate SSL certificate for every site.
Is this possible?
Is multisite the answer to this? Assuming that we would have to by a multi domain SSL that right?
Yes, your assumption is right. You have to get Multi domain (SAN) SSL certificate to protect your multiple domain hosted on differ servers with single certificate. It is too much expensive to get different SSL certs for individual domains, so SAN SSL is an apotheosis option.
I want to use same SSL certificate in multiple servers, which type of SSL certificate should I use? Unified SSL certificate? or Wildcard SSL certificate?
Thanks
Any certificate can be installed on multiple servers but your question requires more information on how you want to be advised.
A wildcard SSL certificate will secure any subdomain that the Wildcard character is on. So if you have a certificate for *.domain.com then you can secure
secure.domain.com
bob.domain.com
charlie.domain.com
and the list can go on, however it won't work for sub.secure.domain.com as the wildcard only does the single level.
A unified certificate, depending on the provider would only give you 3 subdomains.
mail, owa and autodiscover.domain.com
Also a standard certificate you can generally add SAN's too which will allow you to add subdomains under extra costs, but if you are only looking to secure 2 subdomains then a certificate with 1 SAN would be cheaper in most cases than a wildcard.
Give us an example of what you are trying to do and people can probably advise you better.
Securing Multiple Servers With One SSL Certificate
To move your certificate between servers you will need to install the certificate on the same web server that you generated the CSR from. You can then export the SSL certificate and its private key to a PKCS#12 file, or if it is an non-Windows based server you will be able to copy the key and certificate files.
Click HERE for more details:
Wildcard SSL Certificates allow you to secure multiple sub domains on the same domain name, thereby saving you time and money, and of course you do not need to manage multiple SSL Certificates on the same server.
I've read a bit about SSL certificates, and in particular I've read that an SSL certificate "requires a dedicated IP address". Now, I'm unsure of the meaning of this; does it mean that the certificate requires a dedicated IP address separate from the IP address used for normal HTTP communication, or just that it can't share the IP address with other SSL certificates?
To clarify, I have a VPS with a dedicated IP address. The VPS is hosting quite a few different sites, including several subdomains of the main site, but only the main site and the subdomains requires SSL. Can I simply purchase an SSL certificate for *.example.com using my current IP address, or do I need to get one that is separate from the other sites on the VPS? Or even worse, do I need to get one that is separate from all HTTP traffic on the server? Keep in mind that none of the other sites needs SSL.
Thanks for any clarification on the topic.
Edit: Some sources for my worries:
http://symbiosis.bytemark.co.uk/docs/symbiosis.html#ch-ssl-hosting
Is it necessary to have dedicated IP Address to install SSL certificate?
There's no such thing as "SSL certificate". The term is misleading. X.509 certificates can be issued for different purposes (as defined by their Key Usage and Extended Key Usage "properties"), in particular for securing SSL/TLS sessions.
Certificates don't require anything in regards to sockets, addresses and ports as certificates are pure data.
When securing some connection with TLS, you usually use the certificate to authenticate the server (and sometimes the client). There's one server per IP/Port, so usually there's no problem for the server to choose what certificate to use.
HTTPS is the exception — several different domain names can refer to one IP and the client (usually a browser) connects to the same server for different domain names. The domain name is passed to the server in the request, which goes after TLS handshake.
Here's where the problem arises - the web server doesn't know which certificate to present. To address this a new extension has been added to TLS, named SNI (Server Name Indication). However, not all clients support it. So in general it's a good idea to have a dedicated server per IP/Port per domain. In other words, each domain, to which the client can connect using HTTPS, should have its own IP address (or different port, but that's not usual).
SSL certificates do not require a dedicated IP address. SSL certificates store a so called common name. Browser interpret this common name as the DNS name of the server they are talking to. If the common name does not match DNS name of the server that the browser is talking to, the browser will issue a warning.
You can get a so called wildcard certificate, that would be admissible for all hosts within a certain domain.
...following up on #Eugene's answer with more info about the compatibility issue...
According to this page from namecheap.com SNI does not work on:
Windows XP + any version Internet Explorer (6,7,8,9)
Internet Explorer 6 or earlier
Safari on Windows XP
BlackBerry Browser
Windows Mobile up to 6.5
Nokia Browser for Symbian at least on Series60
Opera Mobile for Symbian at least on Series60
Web site will still be available via HTTPS, but a certificate mismatch error will appear.
Thus, as we enter 2016 I would venture to stick my neck out there and say, "If you're building a modern website anyway (not supporting old browsers), and if the project is so small that it cannot afford a dedicated IP address, you'll probably be fine relying on SNI." Of course, there are thousands of experts who would disagree with this, but we're talking about being practical, not perfect.
The ssl certificate commmon name has to match the domain name. You don't have any requisite over the ip address, unless it's a limitation imposed by the certificate provider or the http server software.
Edit: looking into the web, it seems that the rumor has been spread because Apache's ssl plugin doesn't have (at least it didn't have in 2002) any mechanism to use different certificate based on the hostname. In such scenario you would have to run two different Apache web servers on the two different IP addresses.
Anyway in your configuration you shouldn't have any problem using only one IP because you don't have to use two different certificates (because you plan to use a wildcard certificate).
I would try anyway configuring the webserver with a self signed certificate before spending money for a second ip or certificate.
Edit 2: reference apache documentation:
http://httpd.apache.org/docs/2.2/vhosts/name-based.html
It seems like now (apache >= 2.2.12) it is supported
I'm pretty new to the https world, so bear with me.
There are 2 web-servers involved:
Webserver1 has been in the organization a few years and is hosting/running multiple websites with https encryption (app1.ourcompany.com, app2.ourcompany.com, etc). It has a valid, signed certificate.
Webserver2 is a new server, for which I am responsible. I am tasked with setting up https and getting the certificate, etc. It has a web app running on it, but it does not have a domain name (only has an IP address)...which as I recently learned, is a requirement for a signed certificate.
What I'd like to know is this -- is it possible to set up a site on Webserver1 that points to the site I'm hosting on Webserver2 (ie SiteOnWebserver2.ourcompany.com) which also utilizes the Webserver1's signed/verified certificate?
Thanks for your time, SO gurus!
--Dan
A regular SSL certificate is valid for only a single domain name (such as app1.ourcompany.com). If this is the type of certificate currently being used then the existing SSL certificates will not work on your new server. If you did try this you would get an error in the browser saying that the site's domain name doesn't match the name in the SSL certificate.
The other option is to use a wildcard SSL certificate. These kinds of certificates are assigned to a certain parent domain (like ourcompany.com) and will work for all subdomains. This kind of certificate would work for app1.ourcompany.com, app2.ourcompany.com, as well as your SiteOnWebserver2.ourcompany.com.