HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Installation/Configuration (
-   -   SSL Certificate - Hostname & CNAME (

MaddinXx 3rd July 2012 10:40

SSL Certificate - Hostname & CNAME
Hello everyone

I'm planing to buy (a) new SSL cert(s) for my server(s).

Since I already had problems once, this time I wanna go sure to order it the right way.

My primary question is
All servers have hostnames like: service.server.mydomain.tld, so for example:
mail.alpha.mydomain.tld, web.beta.mydomain.tld etc.

However, I want the certs to be valid for another domain, pointing with a CNAME record to them:

cp.anotherdomain.tld -> web.beta.mydomain.tld

The cert should be valid for cp.anotherdomain.tld then.

So the questions is now, how to do that?
First of all, the provided does allow an unlimited amount of servers.

1 problem is, that all of them have different hostnames
2 problem is, that not all of them are running the same software (apache, nginx, postfix etc.)
3 problem is, that like I said above, I'd like to use CNAMEs.

If it theoretically would work, are their any deficits with using CNAMEs?

I would really appreciate it, if someone would be so kind to help :)

Thank you very much!


Mark_NL 3rd July 2012 15:32

As long as the CN in your certificate reflects the domain your requesting and the server knows about it, it should work.

make a csr for "cp.anotherdomain.tld", send it to your ca and use the key in your vhost for "cp.anotherdomain.tld".

an ssl certificate costs like 12EUR for 1 year, so you can just "try" ..
it's not that they cost a fortune :)

Remember that when you buy a wildcard this works: *.domain.tld
but this won't: *.*.domain.tld

MaddinXx 3rd July 2012 15:50

Hi Mark

Thank you for the answer!

Jep, I realized that *.*.domain.tld is not possible (some research, I wasn't aware of this before) - thank you for pointing that out too. :)

Hmm ya, I'll just try, this may be the best way to get a feeling of how exactly it works - but still I'm not sure if it will like I want it to. I'll try :)

Mark_NL 3rd July 2012 15:54

Well, the thing is .. the hostname you're requesting, need to be verified by the server and the CA (hence the pub/priv keys etc) .. so if your CN (Common Name) is: cp.anotherdomain.tld
Then your server should reply to your request with data that's coming from "cp.anotherdomain.tld" .. as far as i know there's no check for A or CNAME records. It shouldn't matter.

MaddinXx 4th July 2012 11:13

OK so after purchasing a wildcard cert and trying to install it, it really worked fine.

I think the problem I had the first time was, that I did not copy the .key file together with the .crt file.

Everything working now! :)

sjau 4th July 2012 16:32

how much did you pay for wildcard cert? single domain certs with www and without www are cheap... but wildcard ones are so expensive... at least the one's I've found.

MaddinXx 4th July 2012 16:47

Well it's an AlphaSSL cert, the cheap line of GlobalSign's DomainSSL (but with the same browser support etc.)

Since I'm reseller their it was USD 55.

sjau 4th July 2012 17:02

and for non-reseller it's $ 149 :) thx for the info.

MaddinXx 4th July 2012 18:25


Originally Posted by sjau (Post 281589)
and for non-reseller it's $ 149 :) thx for the info.

If you like, I can purchase one for you for CHF 75?

sjau 4th July 2012 22:57

nah, we already got one that is www and without www for $ 17/y. Wildcard would have been nice but it's not absolutely necessary for us.

All times are GMT +2. The time now is 23:37.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.