3

I used make-dummmy-cert that comes with apache 2.2 and ssl_mod to make a self-signed certificate. I tried making it for www.example.com, example.com, or *.example.com, but none of them would work for both www.example.com and example.com. The browser would say The certificate is only valid for example.com (or www.example.com or *.example.com respectively)

How do I make a self-signed cert that would work for both cases?

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
user12145
  • 1,115
  • 6
  • 28
  • 47

2 Answers2

3

*.example.com won't match example.com because the star only matches subdomains of example.com. *.example.com will however match www.example.com and foo.example.com.

What I think you need to do if you really want to match both is to create a certificate with multiple CNs entries in the SubjectAltName, one for example.com and one for *.example.com (or www.example.com, if you don't need to match any other subdomains). This link might help: http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

EDIT:

@Bill Weiss is right, I just checked one of the certs I have from GoDaddy and it has both www.example.com and example.com in the SubjectAltName, and both work in the browser. So it sounds like you can get what you need for cheap.

Good luck,

--jed

Jed Daniels
  • 7,282
  • 2
  • 34
  • 42
  • I am going to get a commercial certificate with multiple CNs, any suggestions that are cheap and decent? – user12145 Apr 14 '10 at 21:06
  • @user12145 Wildcard certificates aren't cheap at all, but the cheapest I've found have been through godaddy.com's certificate service. – Jed Daniels Apr 14 '10 at 21:09
  • but wildcard certificates won't work for example.com right? I don't need to match subdomains. – user12145 Apr 14 '10 at 21:13
  • 2
    GoDaddy will throw in a SubjectAltName for example.com. At least, that's been my experience. Talk to your CA about it, they'll help you. – Bill Weiss Apr 14 '10 at 21:53
  • 3
    Other providers also add a free SubjectAltName: Comodo, DigiCert, and GlobalSign – Robert Apr 15 '10 at 15:19
  • @Robert Remarkably annoying when client insists on another provider! – ceejayoz Jan 30 '13 at 17:39
-2

Do you have the same content at example.com and www.example.com? As far as I understand this would be a bad idea for SEO and you should redirect one to the other using for instance mod_rewrite.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
user1583209
  • 133
  • 4
  • 5
    You'd still need SSL for both, or someone visiting the redirect URL via HTTPS will still get the certificate mismatch. – ceejayoz Jan 30 '13 at 17:35