hate these ads?, log in or register to hide them
Results 1 to 18 of 18

Thread: Wildcard SSL ceritificates for multiple servers - where to buy?

  1. #1

    Join Date
    May 31, 2011
    Posts
    3,172

    Wildcard SSL ceritificates for multiple servers - where to buy?

    Fellow FHC IT-magicians,

    we've reached a stage where we're looking to consolidate our couple of single host certs into a (newly to be purchased) wildcard certificate. Main usage: HTTPS traffic

    From what I've read, there's no technical limitation that would prevent the installation of a wildcard certificate on multiple different servers. But at the same time CAs seem to try to "milk" customers by "licensing" such a cert for a single server only. Want that cert on a different server? Pay again for the same cert. Though not all CAs seem to do this.

    (Yeah, we're trying to do this legit, I'm aware of the "just copy it" option ...)

    Now, here's my question: do you know and can recommend a CA who:

    - doesn't pose artificial restrictions on the wildcard certs he sells/issues
    - isn't a PITA to deal with (I'm looking at you, Thawte!)
    - provides an easy way (web portal/email robot) to create the actual certs yourself via your CSR

    I'm willing to let go the later if, say, a quick call during central european business hours would do the trick.

  2. #2
    Daneel Trevize's Avatar
    Join Date
    April 10, 2011
    Location
    T L A
    Posts
    11,971
    Is this actually for undefined clients, or can you just generate your own certs and deploy your public signing cert/key to the clients' store?
    Quote Originally Posted by QuackBot View Post
    Idk about that, and i'm fucking stupid.

  3. #3

    Join Date
    May 31, 2011
    Posts
    3,172
    It's (mostly) for public consumption = undefined clients = our web presence.

  4. #4
    Donor Aea's Avatar
    Join Date
    April 13, 2011
    Location
    Colorado
    Posts
    13,500
    I like Comodo. You could also try a reseller like Namecheap.

    I have never seen per-sever SSL licensing and have no fucking idea how you could even accomplish that. Are you referring to *.domain.tld vs. *.sub.domain.tld then yes in that scenario you do actually need multiple certificates.

  5. #5
    Donor Snake's Avatar
    Join Date
    April 10, 2011
    Posts
    1,411
    I like startssl for my home stuff. I think you can get wildcard certs for like 60 bucks.

  6. #6
    thebomby's Avatar
    Join Date
    April 9, 2011
    Location
    Switzerland
    Posts
    6,420
    Quote Originally Posted by Aea View Post
    I like Comodo. You could also try a reseller like Namecheap.

    I have never seen per-sever SSL licensing and have no fucking idea how you could even accomplish that. Are you referring to *.domain.tld vs. *.sub.domain.tld then yes in that scenario you do actually need multiple certificates.
    We use Comodo as well. You only pay for the wildcard once, but you have to generate the keys for each server.
    Будь смиренным, будь кротким, не заботься о тленном
    Власти, данной Богом, сынок, будь навеки верным...
    Я люблю Росcию, я - патриот

  7. #7

    Join Date
    May 31, 2011
    Posts
    3,172
    Quote Originally Posted by Aea View Post
    I like Comodo. You could also try a reseller like Namecheap.

    I have never seen per-sever SSL licensing and have no fucking idea how you could even accomplish that.
    By not issuing another cert, when providing a CSR for a different server. But keep in mind, this is what I've got from reading about wildcard certs, not actual experience.

    Are you referring to *.domain.tld vs. *.sub.domain.tld
    Nope, solely *.domain.tld

  8. #8

    Join Date
    May 31, 2011
    Posts
    3,172
    Quote Originally Posted by thebomby View Post
    Quote Originally Posted by Aea View Post
    I like Comodo. You could also try a reseller like Namecheap.

    I have never seen per-sever SSL licensing and have no fucking idea how you could even accomplish that. Are you referring to *.domain.tld vs. *.sub.domain.tld then yes in that scenario you do actually need multiple certificates.
    We use Comodo as well. You only pay for the wildcard once, but you have to generate the keys for each server.
    Good to know. We already use them for 1 cert, if I'm not mistaken. Thx, mate.

  9. #9
    Donor erichkknaar's Avatar
    Join Date
    April 9, 2011
    Posts
    8,413
    Some cert companies will charge a per server license fee, some won't. As Aea mentioned, you do need one per sub domain though. We've used Comodo and Thawte, but Symantec bought Thawte off Verisign so we don't use them anymore.
    meh

  10. #10
    Super Moderator Global Moderator QuackBot's Avatar
    Join Date
    March 7, 2012
    Posts
    20,806
    Quote Originally Posted by Aea View Post
    I like Comodo. You could also try a reseller like Namecheap.

    I have never seen per-sever SSL licensing and have no fucking idea how you could even accomplish that. Are you referring to *.domain.tld vs. *.sub.domain.tld then yes in that scenario you do actually need multiple certificates.
    Yes you are.

  11. #11
    Donor Rami's Avatar
    Join Date
    April 10, 2011
    Location
    London/Snuffbox
    Posts
    1,303
    We've got a RapidSSL one that was single purchase, deploy everywhere. Very handy when puppetizing stuff.

  12. #12

    Join Date
    May 31, 2011
    Posts
    3,172
    Quote Originally Posted by erichkknaar View Post
    As Aea mentioned, you do need one per sub domain though.
    Erhm, isn't that the whole purpose of wildcard certs? No more single certs for each subdomain (hostname)?

  13. #13
    Donor erichkknaar's Avatar
    Join Date
    April 9, 2011
    Posts
    8,413
    I'm
    Quote Originally Posted by Hel OWeen View Post
    Quote Originally Posted by erichkknaar View Post
    As Aea mentioned, you do need one per sub domain though.
    Erhm, isn't that the whole purpose of wildcard certs? No more single certs for each subdomain (hostname)?
    Host name is not a sub domain.

    *.example.com would allow you to have as many hosts under example.com as you want.
    *.marketing.example.com would allow you to have as many hosts under marketing.example.com as you want.
    Host.marketing.example.com is not a valid host name for a cert covering *.example.com.
    meh

  14. #14
    Lana Torrin's Avatar
    Join Date
    April 13, 2011
    Location
    Bonding around
    Posts
    17,805
    Quote Originally Posted by erichkknaar View Post
    I'm
    Quote Originally Posted by Hel OWeen View Post
    Quote Originally Posted by erichkknaar View Post
    As Aea mentioned, you do need one per sub domain though.
    Erhm, isn't that the whole purpose of wildcard certs? No more single certs for each subdomain (hostname)?
    Host name is not a sub domain.

    *.example.com would allow you to have as many hosts under example.com as you want.
    *.marketing.example.com would allow you to have as many hosts under marketing.example.com as you want.
    Host.marketing.example.com is not a valid host name for a cert covering *.example.com.
    I would argue it is.. I'll check at work, I think one of our clients has this setup with a wildcard.

    Tapaderpin
    Quote Originally Posted by lubica
    And her name was Limul Azgoden, a lowly peasant girl.

  15. #15
    Donor Aea's Avatar
    Join Date
    April 13, 2011
    Location
    Colorado
    Posts
    13,500
    Quote Originally Posted by Lana Torrin View Post
    Quote Originally Posted by erichkknaar View Post
    I'm
    Quote Originally Posted by Hel OWeen View Post
    Quote Originally Posted by erichkknaar View Post
    As Aea mentioned, you do need one per sub domain though.
    Erhm, isn't that the whole purpose of wildcard certs? No more single certs for each subdomain (hostname)?
    Host name is not a sub domain.

    *.example.com would allow you to have as many hosts under example.com as you want.
    *.marketing.example.com would allow you to have as many hosts under marketing.example.com as you want.
    Host.marketing.example.com is not a valid host name for a cert covering *.example.com.
    I would argue it is.. I'll check at work, I think one of our clients has this setup with a wildcard.

    Tapaderpin
    You're mistaken, or the validation mechanism isn't standard.

    RFC 6125

    6.4.3. Checking of Wildcard Certificates

    If a client matches the reference identifier against a presented
    identifier whose DNS domain name portion contains the wildcard
    character '*', the following rules apply:

    1. The client SHOULD NOT attempt to match a presented identifier in
    which the wildcard character comprises a label other than the
    left-most label (e.g., do not match bar.*.example.net).

    2. If the wildcard character is the only character of the left-most
    label in the presented identifier, the client SHOULD NOT compare
    against anything but the left-most label of the reference
    identifier (e.g., *.example.com would match foo.example.com but
    not bar.foo.example.com or example.com).

    3. The client MAY match a presented identifier in which the wildcard
    character is not the only character of the label (e.g.,
    baz*.example.net and *baz.example.net and b*z.example.net would
    be taken to match baz1.example.net and foobaz.example.net and
    buzz.example.net, respectively). However, the client SHOULD NOT
    attempt to match a presented identifier where the wildcard
    character is embedded within an A-label or U-label [IDNA-DEFS] of
    an internationalized domain name [IDNA-PROTO].

  16. #16
    Lana Torrin's Avatar
    Join Date
    April 13, 2011
    Location
    Bonding around
    Posts
    17,805
    Quote Originally Posted by Aea View Post
    Quote Originally Posted by Lana Torrin View Post
    Quote Originally Posted by erichkknaar View Post
    I'm
    Quote Originally Posted by Hel OWeen View Post
    Quote Originally Posted by erichkknaar View Post
    As Aea mentioned, you do need one per sub domain though.
    Erhm, isn't that the whole purpose of wildcard certs? No more single certs for each subdomain (hostname)?
    Host name is not a sub domain.

    *.example.com would allow you to have as many hosts under example.com as you want.
    *.marketing.example.com would allow you to have as many hosts under marketing.example.com as you want.
    Host.marketing.example.com is not a valid host name for a cert covering *.example.com.
    I would argue it is.. I'll check at work, I think one of our clients has this setup with a wildcard.

    Tapaderpin
    You're mistaken, or the validation mechanism isn't standard.

    RFC 6125

    6.4.3. Checking of Wildcard Certificates

    If a client matches the reference identifier against a presented
    identifier whose DNS domain name portion contains the wildcard
    character '*', the following rules apply:

    1. The client SHOULD NOT attempt to match a presented identifier in
    which the wildcard character comprises a label other than the
    left-most label (e.g., do not match bar.*.example.net).

    2. If the wildcard character is the only character of the left-most
    label in the presented identifier, the client SHOULD NOT compare
    against anything but the left-most label of the reference
    identifier (e.g., *.example.com would match foo.example.com but
    not bar.foo.example.com or example.com).

    3. The client MAY match a presented identifier in which the wildcard
    character is not the only character of the label (e.g.,
    baz*.example.net and *baz.example.net and b*z.example.net would
    be taken to match baz1.example.net and foobaz.example.net and
    buzz.example.net, respectively). However, the client SHOULD NOT
    attempt to match a presented identifier where the wildcard
    character is embedded within an A-label or U-label [IDNA-DEFS] of
    an internationalized domain name [IDNA-PROTO].
    I'll just concede defeat so I don't have to check on Monday.

    Tapaderpin
    Quote Originally Posted by lubica
    And her name was Limul Azgoden, a lowly peasant girl.

  17. #17

    Join Date
    May 31, 2011
    Posts
    3,172
    Quote Originally Posted by erichkknaar View Post
    I'm
    Quote Originally Posted by Hel OWeen View Post
    Quote Originally Posted by erichkknaar View Post
    As Aea mentioned, you do need one per sub domain though.
    Erhm, isn't that the whole purpose of wildcard certs? No more single certs for each subdomain (hostname)?
    Host name is not a sub domain.

    *.example.com would allow you to have as many hosts under example.com as you want.
    *.marketing.example.com would allow you to have as many hosts under marketing.example.com as you want.
    Host.marketing.example.com is not a valid host name for a cert covering *.example.com.
    OK, in my world Host.marketing.example.com isn't a valid name at all. There's only subdomain/host.domain.tld. Anything beyond that most likely stems from marketing retards ...

  18. #18

    Join Date
    May 31, 2011
    Posts
    3,172
    Necro for good reason: Let's Encrypt to offer free wildcard certificates

    Planned for 01/2018

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •