0

I have a bunch of sites served through nginx with SSL with self-signed certificates, each of which is on a subdomain, e.g.:

https://app1.example.com
https://app2.example.com

My user base is small and tightly controlled so I personally install the certificates for each user. The problem is that the number of apps is increasing to the point that it would be far easier to be able have a single *.example.com which I circulate. However, self-signed wildcard certificates don't work in most browsers. How would I get around this? I'm guessing that one option would be to somehow provide a list of subdomains for the certificate, but I have no idea how I would go about doing that. My other thought is that perhaps I could create a self-signed root certificate from which each subdomain inherits?

aquavitae
  • 99
  • 6
  • 1
    If your userbase is indeed well controlled the most convenient might be to set up your own PKI (or really just a CA), distribute that new root CA certificate and then create signed certificates as needed. – HBruijn May 06 '15 at 12:21
  • You could create a GPO to push all certificate too if the PC are in a domain. (https://technet.microsoft.com/en-us/library/cc770315%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) – yagmoth555 May 06 '15 at 12:36
  • @HBruijn I'm not entirely sure what you mean, but it sounds like what I want. Could you expand on the answer and give any guidance as to how to do it? – aquavitae May 06 '15 at 13:06
  • @yagmoth555 Controlled group of users, but not all on the same domains, and the domains are not in my control. – aquavitae May 06 '15 at 13:07
  • Setting up a CA with openssl from a command line is quite well documented. See for instance [this](http://math.cmu.edu/~svasey/old-homepage-archive-2013/projects/software-usage-notes/ssl_en.html) site, `man ca` – HBruijn May 06 '15 at 13:34

1 Answers1

0

If your user base and their computers are not managed by you, then that is a classic case where you should purchase an SSL certificate from a 3rd party rather than use self-signed certs. Wildcard certs are readily available from many 3rd party CAs and they are not very expensive. I assume you own the example.com domain.

JaredPep
  • 46
  • 1