Link to home
Start Free TrialLog in
Avatar of gd6627
gd6627Flag for United States of America

asked on

HELPS with DNS SLL Cert

Can you generate a SSL cert for a Cname instead of a A record in DNS? I have a url for users that is to difficult to type, remember etc... and wanted to know if I create a CNAME for that server FQDN in DNS can I then get an SSL cert for that cname?  So that then I can deliver a shortcut to the user with the friendly name .

Example :
\\ABCDEFG12345678.TEst.com
A record :
Host  ABCDEFG12345678.TEst.com
IP: 192.168.1.1

CNAME:
MyPage
FQDN: Mypage.com
TargetHost: ABCDEFG12345678.test.com
Avatar of footech
footech
Flag of United States of America image

You can get a certificate for any name (from a public provider) as long as you own the domain name.  So using your example above, you must own the "mypage.com" domain.
1) Can you generate a SSL cert for a Cname instead of a A record in DNS?

No. This is no longer allowed, with most issuers.

2) I have a url for users that is to difficult to type, remember etc... and wanted to know if I create a CNAME for that server FQDN in DNS can I then get an SSL cert for that cname?  So that then I can deliver a shortcut to the user with the friendly name.

You'll create records like this... although I don't really see the point...

short    IN   A   x.x.x.x
long     IN   CNAME   short

Open in new window


Then generate a cert for the short.yourdomain.com hostname.

Unsure why you won't just use the short hostname, if the long hostname is hard to remember/type.
ASKER CERTIFIED SOLUTION
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
David Johnson brings up a good point you must arrange for your cert to cover both the hostnames long + short for the above to work.

At this point, since LetsEncrypt wildcard certs are free, I generate wildcard certs whenever many hostnames require cert coverage.
Avatar of gd6627

ASKER

Thank you gentlemen
I've never seen any issuers who care what the name is, as long as you show you own the domain.
David Favor - if you have an example of one, I'd love to see it.

The site doesn't even have to exist when you get an SSL certificate, so how could they check?  And there's nothing preventing you from changing your records after you have a certificate.  It just wouldn't make sense to require that an A record exist for the name.

You would only need both names (used by the A record and CNAME) if you wanted to access the site by both names and not get a warning.  It's not a bad idea, but it's not a requirement.

For many sites hosted on platforms like Pantheon or Cloudflare, most sites are accessed via CNAME record, and it's the CNAME name which is added to the certificate.
Avatar of gd6627

ASKER

thank ypu footech