2

I have a wildcard certificate for *.example.com (signed by GeoTrust) and am going to host lots of application instances on different servers, each on my subdomain.

I am not willing to copy my OpenSSL private key to every customer. How do I use my certificate to create sub-certificates for individual subdomains without sharing mine?

kolypto
  • 11,058
  • 12
  • 54
  • 66
  • 1
    Setup a proxy server? Put your SSL certificate on the proxy server. Use internal certs for internal communication between the proxy server and internal servers. – Zoredache Apr 15 '14 at 17:06

2 Answers2

5

With some providers of SSL certificates (Digicert as one) you can generate new private keys and CSRs to request certificates on each server. This allows you to maintain separate private keys (and also generate these certificates for subdomains using Subject Alternative Names.). This does increase the administrative burden, but decreases the risk of sharing a single private key.

NickW
  • 10,263
  • 1
  • 20
  • 27
  • Can you explain that please? Makes no sense... – MichelZ Apr 15 '14 at 14:55
  • You can generate duplicate certificates, built from different private keys. Maybe I'm just spoiled by digicert : http://www.digicert.com/ppc/wildcard-certificates.htm?gclid=CLid_rLg4r0CFWXnwgodpi8ADg `But with DigiCert's unlimited server license, you can use your certificate on as many servers as you want. You can even generate separate certificates with unique key pairs for each server` – NickW Apr 15 '14 at 14:58
  • So that's probably an "oddity" of digicert then, I haven't come accross that "feature" on other CA vendors yet – MichelZ Apr 15 '14 at 15:03
  • If you change your answer slightly, i can remove the downvote :) – MichelZ Apr 15 '14 at 15:07
  • ALright, sounds fair :) – NickW Apr 15 '14 at 15:08
  • @nickW that is definitely a useful feature that most providers don't offer – Grant Apr 15 '14 at 15:24
  • Yeah, it was an immense help to be able to upgrade OpenSSL and generate new certs with new private keys to mitigate the whole heartbleed fiasco. I won't mention how much easier it makes dealing with java keystores either. – NickW Apr 15 '14 at 15:25
  • I think is an extremely useful answer - +1 from me! – MadHatter Apr 15 '14 at 15:27
  • @MadHatter thanks, as I said earlier, I'm spoiled by it.. not sure why everyone doesn't do it honestly :) – NickW Apr 15 '14 at 15:34
  • 1
    Is it Digicert who does that, or I can issue sub-certificates myself? – kolypto Apr 15 '14 at 15:34
  • 1
    Digicert. You cannot issue certificates unless they are self signed ones. (or with super-special agreements where you get a sub-ca) – MichelZ Apr 15 '14 at 15:36
  • @kolypto MichelZ said it better than me :D – NickW Apr 15 '14 at 15:37
  • @NickW: I'm not sure about the "and also generate these certificates for specific subdomains" part... I think it has to be the same cert. However, there are other CA's (e.g. StartSSL) which allow you unlimited certs, so you get essentially the same feature. – MichelZ Apr 15 '14 at 15:38
  • 1
    Yeah, I could phrase that better: http://www.digicert.com/ssl-support/duplicate-ssl-certificates.htm (2nd half of that page). – NickW Apr 15 '14 at 15:49
4

This is not possible. You either need self-signed certificates or you need individual certificates.

MichelZ
  • 11,068
  • 4
  • 32
  • 59