Can one type of SSL certificate cover any number of sub-domains?
Client is beginning to use Azure to develop sites for customers. They need SSL certs for security. I'm a bit confused as to what SSL(s) would be needed to cover the domains.
All of the subdomains will end in one root domain. Example:
rootdomain.com
The subdomains will go several levels deep. Examples:
Name1.rootdomain.com
Name2.rootdomain.com
AnotherName.Name1.rootdoma
YetAnotherName.AnotherName
Can one 'multi sub-domain' SSL cert secure every level in front of rootdomain.com?
Or do you need another cert every time you do add a period into the structure (ie, one cert for *.rootdomain.com, another for *.Name1.rootdomain.com, etc.)
Hope I've explained this clearly...
All of the subdomains will end in one root domain. Example:
rootdomain.com
The subdomains will go several levels deep. Examples:
Name1.rootdomain.com
Name2.rootdomain.com
AnotherName.Name1.rootdoma
YetAnotherName.AnotherName
Can one 'multi sub-domain' SSL cert secure every level in front of rootdomain.com?
Or do you need another cert every time you do add a period into the structure (ie, one cert for *.rootdomain.com, another for *.Name1.rootdomain.com, etc.)
Hope I've explained this clearly...
ASKER
Mahesh, thanks for the comment. I realize that a wildcard can only cover its own level. Was wondering if there is another type of SSL cert that covers multiple levels...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So the SAN will cover anything (at any level) in front of rootdomain.com, like
5.rootdomain.com
4.5.rootdomain.com
3.4.5.rootdomain.com
2.3.4.5.rootdomain.com
1.2.3.4.5.rootdomain.com
5.rootdomain.com
4.5.rootdomain.com
3.4.5.rootdomain.com
2.3.4.5.rootdomain.com
1.2.3.4.5.rootdomain.com
Use free https://LetsEncrypt.org wildcard certs.
They're free, so generate as many as you require... to cover various levels of hosts...
They're free, so generate as many as you require... to cover various levels of hosts...
ASKER
Thanks David. I'm aware of LetsEncrypt, but that is not a viable option for this client.
Then you'll have to purchase multiple wildcard certs from somewhere + manage all the yearly upgrades, which will be super complex.
Especially, describing the host name spaces you have to cover.
It's all a question of time + money.
If you require setup + forget certs, use LetsEncrypt.
If you have infinite time + money, then just purchase + install multiple wildcard certs from any issuer. Then build into your lifetime project budget the time to renew + reinstall all certs every year.
Especially, describing the host name spaces you have to cover.
It's all a question of time + money.
If you require setup + forget certs, use LetsEncrypt.
If you have infinite time + money, then just purchase + install multiple wildcard certs from any issuer. Then build into your lifetime project budget the time to renew + reinstall all certs every year.
ASKER
These sites are setup on Azure - how would LetsEncrypt would work with Azure? How would it perform the auto-renewal?
Lets Encrypt provides certificates with only 3 months validity every time you request new or renew
ASKER
David,
These sites are setup on Azure - how would LetsEncrypt would work with Azure? How would it perform the auto-renewal?
Mahesh,
I'm familiar with LetsEncrypt and how it works. I'm trying to make sure that the SAN Cert will cover domains like this:
5.rootdomain.com
4.5.rootdomain.com
3.4.5.rootdomain.com
2.3.4.5.rootdomain.com
1.2.3.4.5.rootdomain.com
These sites are setup on Azure - how would LetsEncrypt would work with Azure? How would it perform the auto-renewal?
Mahesh,
I'm familiar with LetsEncrypt and how it works. I'm trying to make sure that the SAN Cert will cover domains like this:
5.rootdomain.com
4.5.rootdomain.com
3.4.5.rootdomain.com
2.3.4.5.rootdomain.com
1.2.3.4.5.rootdomain.com
raise your request and get cert from Lets Encrypt to test with, I don't see any issue in that
BTW, Azure won't automatically renew certs unless you done some complex automation, manual intervention would be required
BTW, Azure won't automatically renew certs unless you done some complex automation, manual intervention would be required
What OS?
You can use
Why not procure certificate through Azure?
You can use
Automatically enable HTTPS on your website with EFF's Certbot, deploying Let's Encrypt certificates.https://certbot.eff.org/
Why not procure certificate through Azure?
ASKER
Thanks all for the comments. Mahesh was correct that the SAN (actually I think it would be a UCC) Cert would cover
anything (at any level) in front of rootdomain.com, like
5.rootdomain.com
4.5.rootdomain.com
3.4.5.rootdomain.com
2.3.4.5.rootdomain.com
1.2.3.4.5.rootdomain.com
anything (at any level) in front of rootdomain.com, like
5.rootdomain.com
4.5.rootdomain.com
3.4.5.rootdomain.com
2.3.4.5.rootdomain.com
1.2.3.4.5.rootdomain.com
Yes. Wildcard is an ideal solution to cover unlimited number of sub domains with a single SSL Certificate.
How to use Wildcard SSL Certificate?
Extra tip-
If you need to protect multiple domains and multiple subdomains with a single SSL certificate, you can have a multi domain SSL wildcard certificate.
How to use Wildcard SSL Certificate?
Extra tip-
If you need to protect multiple domains and multiple subdomains with a single SSL certificate, you can have a multi domain SSL wildcard certificate.
The certbot-auto script can be installed on almost any OS these days.
All that's required is a fairly recent version of Python running.
In the case of Linux Distros, certbot-auto will even install it's own Python runtime environment.
Setup a CRON job to auto renew your SSL certs + there's no concern about length of cert life.
All that's required is a fairly recent version of Python running.
In the case of Linux Distros, certbot-auto will even install it's own Python runtime environment.
Setup a CRON job to auto renew your SSL certs + there's no concern about length of cert life.
*.rootdomain.com, another for *.Name1.rootdomain.com
Wild card certificate cannot cover deeper level host names that its own level