5

If I have test.example.com and prod.example.com (two hostnames, but same domain name) can I use the same SSL cert on both machines?

In the past when I tried using a prod.example.com cert on test.example.com it resulted in browser warnings for host-mismatch, which led me to believe that I needed a wildcard (or else multiple distinct certs). (Perhaps my mistake was in generating the CSR for prod.example.com rather than simply example.com ?)

But the various SSL vendors' websites mention needing a wildcard cert for subdomains, which is not at all what I am using.

Is their language simply incorrect? (My cynical side wonders if this helps vendors sell more expensive certs...)

Caffeine Coma
  • 419
  • 1
  • 5
  • 13
  • Why do you think you're not using subdomains? test.example.com and prod.example.com are subdomains of example.com. – Mike Scott Dec 20 '11 at 05:45
  • Mike Scott: my understanding is that a subdomain would be x.y.example.com, but perhaps I am mistaken. http://vogtland.ws/MarksBlog/?p=280 – Caffeine Coma Dec 20 '11 at 13:06
  • @CaffeineComa His point was that `prod.example.com` and `test.example.com` are subdomains of `example.com`. If you were to get a wildcard for `example.com` it would cover both `prod.example.com` and `test.example.com` as well as any other subdomains of `example.com` (and `example.com` itself). – MDMarra Dec 20 '11 at 13:37
  • x.y.example.com is a subdomain of y.example.com. y.example.com is a subdomain of example.com. Technically, example.com is a subdomain of com. – Mike Scott Dec 20 '11 at 15:37
  • @MDMarra are you sure about the wilcard cert covering the name itself, too? – Alnitak Dec 21 '11 at 15:04
  • @Alnitak Usually the Subject Name of the cert is the domain and the wildcard is in the SAN. Strictly speaking, no just a wildcard itself doesn't cover the parent, but I've never seen a major vendor sell one that didn't. – MDMarra Dec 22 '11 at 01:07
  • @CaffeineComa I've certificate for *.abc.com and Can i use this certificate for dev.abc.com:9003 ? – Nullpointer Dec 26 '16 at 05:44

4 Answers4

9

You would need a certificate that supports the Subject Alternate Name field and you would have test.example.com in there for it to work in the example that you described.

A cert for example.com will not magically work for *.example.com like you are describing unless it is a wildcard cert, which you explicitly say that you do not have. The SAN field listing each sub-domain is what you need if you're not going to get a wildcard.

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
MDMarra
  • 100,734
  • 32
  • 197
  • 329
5

Is their language simply incorrect?

No, yours is.

If I have test.example.com and prod.example.com (two hostnames, but same domain name)

These are not the same domain name. They are both separate domain names that happen to be subdomains of example.com.

A domain name is any name that exists at any level in the DNS, not just the ones you get from your domain registrar.

An SSL certificate can only cover:

  1. An exact domain name
  2. As above, but with additional "Subject Alternate Names", or
  3. every sub-domain, i.e a wildcard cert.

Hence you can't just get a cert for example.com and have it automatically cover the subdomains too.

Alnitak
  • 21,191
  • 3
  • 52
  • 82
0

First a clarification: there are no subdomains in the way you are using - only domains. Or better you can say that any domain that you will own is a subdomain. The root domain is ".". The TLD "com." is a "subdomain" of ".". "example.com." is a subdomain of "com."... A subdomain is a domain defined inside another domain. but this is relative, not an absolute attribute.

The wild card certificates are more expansive not because they are different from a domain one, but because of their exposure and chances to get compromised. You are not paying the SSL CA the "price" for certificate, but an limited insurance. This insurance covers only if the breach is caused by a mishandling of your certificate and it's chain by the CA.

If you have only a few subdomains it is cheaper to buy a certificate for multiple domains (certificates that use Subject Alternate Name). If you have many subdomains of a domain or you expect to add an unknown number of subdomains you should better buy a wildcard certificate. If you have different domains (example1.com, example2.com, example1.us) you can use only SAN certificates or you buy a wildcard certificate for each domain. (E.g. you can not buy a wildcard certificate for *.com).

Using SAN certificate or wildcard certificate could lower the security of your configuration, because will force you to use the same listener and most probably use the same user (you can run with different users with something like mod_suexec for apache). So if one site gets compromised, could lead for the other sites to get compromised. If you have different certificates you can run those applications as different users and have better security.

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
-2

If your cert for prod.example.com isn't a wildcard cert, then to use it on a server having the domain name of test.example.com then what's to stop adding an entry to the %SystemRoot%\System32\drivers\etc\hosts file giving the IP of the test.example.com machine a fake domain name of whatever.prod.example.com?

That way validation on the prod.example.com cert installed onto the test.example.com machine should just work because the hosts file proves the (fake) prod.example.com hostname it's looking for.

Just a thought, as I've used this technique myself for development.

fboaventura
  • 1,135
  • 11
  • 16
BobT
  • 1