gd6627
asked on
HELPS with DNS SLL Cert
Can you generate a SSL cert for a Cname instead of a A record in DNS? I have a url for users that is to difficult to type, remember etc... and wanted to know if I create a CNAME for that server FQDN in DNS can I then get an SSL cert for that cname? So that then I can deliver a shortcut to the user with the friendly name .
Example :
\\ABCDEFG12345678.TEst.com
A record :
Host ABCDEFG12345678.TEst.com
IP: 192.168.1.1
CNAME:
MyPage
FQDN: Mypage.com
TargetHost: ABCDEFG12345678.test.com
Example :
\\ABCDEFG12345678.TEst.com
A record :
Host ABCDEFG12345678.TEst.com
IP: 192.168.1.1
CNAME:
MyPage
FQDN: Mypage.com
TargetHost: ABCDEFG12345678.test.com
You can get a certificate for any name (from a public provider) as long as you own the domain name. So using your example above, you must own the "mypage.com" domain.
1) Can you generate a SSL cert for a Cname instead of a A record in DNS?
No. This is no longer allowed, with most issuers.
2) I have a url for users that is to difficult to type, remember etc... and wanted to know if I create a CNAME for that server FQDN in DNS can I then get an SSL cert for that cname? So that then I can deliver a shortcut to the user with the friendly name.
You'll create records like this... although I don't really see the point...
Then generate a cert for the short.yourdomain.com hostname.
Unsure why you won't just use the short hostname, if the long hostname is hard to remember/type.
No. This is no longer allowed, with most issuers.
2) I have a url for users that is to difficult to type, remember etc... and wanted to know if I create a CNAME for that server FQDN in DNS can I then get an SSL cert for that cname? So that then I can deliver a shortcut to the user with the friendly name.
You'll create records like this... although I don't really see the point...
short IN A x.x.x.x
long IN CNAME short
Then generate a cert for the short.yourdomain.com hostname.
Unsure why you won't just use the short hostname, if the long hostname is hard to remember/type.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
David Johnson brings up a good point you must arrange for your cert to cover both the hostnames long + short for the above to work.
At this point, since LetsEncrypt wildcard certs are free, I generate wildcard certs whenever many hostnames require cert coverage.
At this point, since LetsEncrypt wildcard certs are free, I generate wildcard certs whenever many hostnames require cert coverage.
ASKER
Thank you gentlemen
I've never seen any issuers who care what the name is, as long as you show you own the domain.
David Favor - if you have an example of one, I'd love to see it.
The site doesn't even have to exist when you get an SSL certificate, so how could they check? And there's nothing preventing you from changing your records after you have a certificate. It just wouldn't make sense to require that an A record exist for the name.
You would only need both names (used by the A record and CNAME) if you wanted to access the site by both names and not get a warning. It's not a bad idea, but it's not a requirement.
For many sites hosted on platforms like Pantheon or Cloudflare, most sites are accessed via CNAME record, and it's the CNAME name which is added to the certificate.
David Favor - if you have an example of one, I'd love to see it.
The site doesn't even have to exist when you get an SSL certificate, so how could they check? And there's nothing preventing you from changing your records after you have a certificate. It just wouldn't make sense to require that an A record exist for the name.
You would only need both names (used by the A record and CNAME) if you wanted to access the site by both names and not get a warning. It's not a bad idea, but it's not a requirement.
For many sites hosted on platforms like Pantheon or Cloudflare, most sites are accessed via CNAME record, and it's the CNAME name which is added to the certificate.
ASKER
thank ypu footech