15

I am trying to set up SSL for the first time. I purchased my domain and SSL certificate from Gandi.net. Their docs say

subdomain.example.com indicates the subdomain that you want to protect. This is the most important part. If you have a single-address certificate to activate, you should put in the full subdomain (e.g. foo.example.com). The www subdomain is added automatically by the CA, for example, example.com will secure both example.com and www.example.com If you have a wildcard certificate, you should put in a * for the subdomain (e.g. *.example.com). Wildcard certificates also secure the raw domain (with no subdomain). - http://wiki.gandi.net/en/ssl/csr

I am hosting my app on Heroku and their docs say:

The Common Name field must match the secure domain. You cannot purchase a certificate for the root domain, e.g., example.com, and expect to secure www.example.com. The inverse is also true. Additionally, SSL Endpoint only supports one certificate per app. Please keep this in mind for multi-domain applications and specify a Common Domain that matches all required domains. - https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate

These seem to conflict. Please advise!

speg
  • 1,959
  • 6
  • 24
  • 34
  • Looks like I bumped into the same issue 3 years later. My certificate is also issued by Gandi but works only for `example.com` and not `www.example.com` http://stackoverflow.com/questions/39767393/issue-with-https-requests-only-to-www-subdomain How did you solve it? – Alphaaa Sep 29 '16 at 10:29

2 Answers2

7

You'll want to get a certificate from an authority that supports the Subject Alternate Name X.509 extension.

This will let you get a domain with its Common Name set to www.mydomain.com, and an Alternate Name set to mydomain.com(as Lloeki noted, you should provide both names as alternate names).

Thomas Orozco
  • 53,284
  • 11
  • 113
  • 116
  • Watch out, if the CA happens to need you to provide a CSR with alt-names, a common pitfall is to forget to *also* add the Common Name as an Alternate Name entry! – Lloeki Mar 08 '17 at 14:28
  • @Lloeki good point; thanks. That being said, most CAs will only reuse the public key from your CSR, and basically rewrite everything else. – Thomas Orozco Mar 08 '17 at 14:29
2

It depends what Certificate Authority(CA) you have been choosen to purchase certificate. Some of them provide alternate domain name including "www" like option some of them no.

As you have written above:

I am hosting my app on Heroku and their docs say:

The Common Name field must match the secure domain. You cannot purchase a certificate for the root domain, e.g., example.com, and expect to secure www.example.com. The inverse is also true. Additionally, SSL Endpoint only supports one certificate per app. Please keep this in mind for multi-domain applications and specify a Common Domain that matches all required domains. - https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate

It is true - because yourdomain.com and wwww.yourdomain.com are considered as different domains (multi-domain) and your certificate has to be trusted to recognize both of them. So before generating CSR string please attentively read requirements for CSR string and features provided by a CA.

vitaliy zadorozhnyy
  • 1,226
  • 10
  • 12