Which wildcard SSL cert vendors allow you to set up the same cert on multiple servers?

Question

We are looking to set up a service where multiple boxes, in different data centers, would allow HTTPS access. We are looking to set to buy a wildcard SSL cert to handle any number of vanity sub domains.

We are primarily looking at goDaddy's wildcard SSL cert. Has anyone set up anything similar to this? We have looked at Digicert's offering but we want to look for cheaper options.

Certs aren't tied to servers, what you do with them is your own business (within reason). — Chris S, Nov 29 '11 at 00:46
Believe it or not, there are CAs that make you execute a licensing agreement that limits the number of servers you can use the certificate on. Strange but true. — David Schwartz, Feb 01 '12 at 07:20

djangofan · Answer 1 · 2011-11-29T00:10:33.917

You can create your own wildcard cert also. You don't get the "brand name" and insurance that goes along with it, but its just as secure. If the SSL connections aren't used by the general public, and only for your own use, i'd recommend that to save money.

Here is a rough draft of the process (using a Keystore) that you have to hack for your own use. You'd have to learn how to do it yourself using the following as a "hint" :

:: create authority
openssl req -config %OPENSSL_HOME%\openssl.cfg -new -x509 -extensions v3_ca -keyout %OPENSSL_HOME%\..\demoCA\private\cakey.pem -out %OPENSSL_HOME%\..\demoCA\cacert.pem -days 1096

:: create wildcard cert in keystore, cn name *.site.com 
keytool -genkey -alias wildcard -keyalg RSA -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb

:: generate CSR
keytool -certreq -alias wildcard -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -file %OPENSSL_HOME%\..\myCerts\wildcard.csr

:: import CA from previous step into keystore
keytool -import -alias root -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\demoCA\cacert.pem

:: sign CSR with CA and convert to DER format
openssl ca -config %OPENSSL_HOME%\openssl.cfg -policy policy_anything -out %OPENSSL_HOME%\..\myCerts\wildcard.crt -infiles %OPENSSL_HOME%\..\myCerts\wildcard.csr
openssl x509 -in %OPENSSL_HOME%\..\myCerts\wildcard.crt -inform PEM -out %OPENSSL_HOME%\..\myCerts\wildcard.der -outform DER

:: import chain of wildcard cert
keytool -import -alias wildcard -keystore %OPENSSL_HOME%\..\myCerts\keystore.kdb -trustcacerts -file %OPENSSL_HOME%\..\myCerts\wildcard.der

score 5 · Answer 2 · answered Aug 07 '09 at 00:06

5

http://www.digicert.com has very flexible licensing including unlimited installs within your domain for UC and Wildcards. We use their UC on Exchange and are shifting from Verisign and Thawte to Digicert for other systems as well due to both the pricing and license flexibility. They also provide a 30 day trial, in which they issue a certificate that has a 30 day validity period, for testing with your systems. So far they've been great for us.

answered Aug 07 '09 at 00:06

MDMarra

100,734
32
197
329

1

+1 for Digicert! They've been great to us as well; very professional, excellent technical support, reasonable pricing, and flexible licensing. UCC certs are are useful in many circumstances, not just Exchange 2007, and can be more cost-effective than wildcard certs in most instances. Even their standard certs utilize the Subject Alternate Name field to protect both www.example.com and example.com with a single cert (and license fee). – jnaab Sep 11 '09 at 06:16
+1 Digicert - they are a great company to work with. They're really flexible and helpful on working with you to make sure your cert problems are solved, and really good on fees in my book. – Rob Moir Oct 05 '10 at 11:09
+1 Digicert - I've had nothing but excellent support from DigiCert. They're really on the ball. – saturdayplace Oct 18 '11 at 23:29

score 3 · Accepted Answer · answered Aug 07 '09 at 01:01

3

We use GoDaddy's wild card certs for most of our sites. All our sites are hosted by multiple servers. After you install the cert on the server that creates the CSR export the cert to a PFX file and import it to the other server. The clients won't know the difference.

GoDaddy knows we do this, and they haven't ever questioned us about it.

answered Aug 07 '09 at 01:01

mrdenny

27,174
4
41
69

1

I'm not sure what you're implying here; certs+key are not linked to a server (unlike, say, ssh's known_hosts+server keys) but to a domain name and possibly IP. Needless to say, if said domain name is served by 100 servers, each of them gets a copy of the private key. – niXar Aug 07 '09 at 01:30
or just the proxy/load-balancer gets the private key and the 100 servers behind it can be just http – djangofan Nov 29 '11 at 00:12

score 2 · Answer 4 · answered Apr 19 '11 at 13:36

2

The cheapest one I have found is the one from StartSSL. They only charge for yearly verification and you can have as many wildcard certificates for different domains as you want.

answered Apr 19 '11 at 13:36

Stoinov

618
2
10
15

Important caveat: This method requires that you be the owner of your mail server, or at least have the authority in your company to request that emails to admin@mail.mycompany.com be forwarded to yourself. So, if you can afford a domain name and mail server, then this is a lot cheaper than other SSL alternatives. – djangofan Nov 29 '11 at 00:14

score 2 · Answer 5 · answered Aug 06 '09 at 17:40

2

SSL certificates are issued based upon their domain, rather than which server hosts them. All that matters from a client's perspective is that the domain used to access the certificate matches the domain on the certificate itself.

For your needs, I expect any wildcard certificate should work. I'd be interested to see if anyone can provide evidence to the contrary?

answered Aug 06 '09 at 17:40

1

Not all SSL vendors have the same policies, for instance "Comodo Premium Wildcard" certs have an extra fee per server you want to install the cert on. – Ambirex Aug 06 '09 at 17:46
4

You are correct; there are no technical limitations preventing the installation / use of a wildcard cert on multiple hosts. It *is*, however, a violation of the contract with the SSL vendor in almost all cases. I know I've encountered a couple that do explicitly allow installing the cert on multiple hosts, but unfortunately I can't remember which ones... – Insyte Aug 06 '09 at 19:17
Interesting; didn't know about this. That's a bizarre requirement. – niXar Aug 07 '09 at 01:31
1

Just a follow up, we had contacted goDaddy and they said they support wildcards on multiple servers. So that is the direction we went. Thank you all. – Ambirex Aug 20 '09 at 23:17
It is a money thing, Veri$ign makes big profits selling the same tiny file to you multiple times. – Walter Sep 22 '09 at 06:59
When we upgraded a web server I asked Thawte about moving the cert from the old server to the new server. They didn't require extra payment in this case, and were very helpful. – dunxd Sep 22 '10 at 10:52

score 0 · Answer 6 · answered Sep 18 '10 at 18:36

0

Maybe a bit too late, but "GlobalSign SSL Certificates are provided with licensing for an unlimited number of servers included in the standard price."

answered Sep 18 '10 at 18:36

DonEstefan

128
2
9

1

At over $500/year even with all discounts, that's not a very good deal. – David Schwartz Aug 28 '11 at 10:45

Which wildcard SSL cert vendors allow you to set up the same cert on multiple servers?

6 Answers6

Linked