1

I own example.com, example.net, and example.biz.

I use Apache to rewrite example.net and example.biz to example.com.

Based on this rewriting, it is my understanding that I would only need a certificate for example.com, and not example.net and example.biz. Please confirm.

I am using sub-directories and not sub-domains to structure my site.

The one exception is the www sub-domain.

If I want SSL for both example.com as well as www.example.com, do I need either two certificates or a wildcard certificate?

Would you recommend rewriting one of these domains to the other, and just using a single certificate? If so, which one would you recommend using, and why?

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
user1032531
  • 568
  • 2
  • 11
  • 26

2 Answers2

4

If you want a certificate to handle example.com and www.example.com you should NOT use a wilcard certificate, because *.example.com does not match example.com. Instead you need a certificate which has like example.com as the common name and then add www.example.com to subject alternative names.

Also, if you want https://example.net or https://example.biz redirect to https://example.com you need to add both these host names (and maybe the responding www.example.* too) also to the subject alternative names, because the redirection occurs only after the TLS handshake and certificate verification. Otherwise the browser will complain about invalid certificates and the redirect will only be effective after the user overrode this warnings.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Steffen Ullrich
  • 13,227
  • 27
  • 39
  • 3
    Many CAs including Godaddy will sell you a wildcard for `*.example.org`, that will have a subject alternative name that includes the literal `example.org` for no additional cost. This works on most browsers from the last 5-10 years. So while it is true that `*.domain.tld` does not match `domain.tld`, this is a distinction **that doesn't matter if vendor you use for certs doesn't suck.** – Zoredache May 13 '14 at 23:09
  • Thanks Steffen, I've found little written on alternative names. I will keep on searching. Where do I add this alternative names? Do all certificate providers offer them? – user1032531 May 14 '14 at 01:27
  • @Zoredache GoDaddy seems to offer three options (as of today's date): Protect One Website starting at $69.99 /year, Protect Multiple Websites starting at $134.99 /year, And Protect All Subdomains ("Wildcard") starting at $269.99 /year. How is this relevant to your comment? Thank you – user1032531 May 14 '14 at 01:33
  • @user1032531, With that $270 wildcard cert Godaddy seems to automatically add the SAN for the bare domain for you. So if you provide a CSR for `*.domain.tld`, they give you a cert that is valid for `*.domain.tld`, and `domain.tld`. Other providers may do the same, but I haven't used them. See the examples on this page http://support.godaddy.com/help/article/567/what-is-a-wildcard-ssl-certificate – Zoredache May 14 '14 at 02:45
  • I have no experience with the sellers of the certificates, but I know the standards and their use in the browsers. So if your CA throws domain.com in if you order *.domain.com that's good - although it does not help if you need domain.biz and domain.net too. If you look at certificates from google or other big companies they have usually lots of names as alternative names, and you can put wildcards there too. Actually you must have the CN also in subject alternative names (SAN), because if SANs are there the browser will not look at the CN anymore. – Steffen Ullrich May 14 '14 at 04:29
4

When I had a certificate issued for a domain, my provider helpfully added www as a Subject Alternative Name, like so:

enter image description here

(pardon my horrible censoring) So the answer is, not usually. Most providers do this automatically. Ask your provider if you're not sure or if the certificate they do issue you lacks this field.

Note: This is the very basic certficate (the $9 one that certain providers often provide for free) and it has a SAN, so it's a cheap alternative.

There's also UCC certificates that are even better than wildcard certificates because they can cover more than one domain name. They also use the SAN field to list domains, so this field is not limited to just a single domain name, either.

Nathan C
  • 15,059
  • 4
  • 43
  • 62