Results 1 to 3 of 3
  1. #1
    Join Date
    Feb 2005
    Posts
    127

    Understanding SSL certificates - wildcard, 'CA certificate', root certs

    If we've got multiple domains under a common domain needing SSL certificates, I understand that a wildcard certificate would do the trick.

    If we've got multiple subdomains under several domains, then I'd need a certificate (or wildcard certificate, if each has subdomains) for each higher-level domain. But just like you can create a 'CA certificate' or a regular certificate using openssl, if I were to create a CA certificate signing request and buy a CA certificate, would I then be able to use that CA certificate to create certificates for all our domains and subdomains as much as we want?

    Some questions about it:

    1. If what I've described above is even possible, what's the disadvantage to going with the CA certificate option?
    2. Is there any downside, apart from price, with going with a wildcard domain certificate and not two regular certificates - one for domain.com and one for sub.domain.com? (I think I remember reading somewhere wildcards weren't 'official' or something like that...dunno)

    Also, what things should I look for when buying a certificate? For example, if I've understood the concept of a 'root' certificate correctly then you want to look for a certificate that has been signed by the top-level certificate authorities rather than signed by an authority that has been signed by a top-level authority.

    But when I look at the list of certificate authorities installed by default in Firefox, they all look like top-level authorities. So basically, any certificate that works without warnings in Firefox would work as well as any other?

    (I realize that some authorities do a better series of checks to ensure you're legit, but if a client gets no browser warnings for a certificate signed by a company that does rigorous checks vs one that doesn't, then for me I don't consider strength of background checks as being a criteria in my decision.)

  2. #2
    Join Date
    Aug 2002
    Location
    Milton Keynes
    Posts
    352
    You cannot merely buy a 'CA certificate', the closest you could easily come (without jumping through $100k+ of hoops, security, procedure, ISO certification etc.) is to become a reseller.

    The whole concept of having a central trusted authority and a clear chain of trust breaks down if they give out certificates to anybody.

    A wildcard certificate will work for all direct subdomains of example.com, e.g. derp.example.com and are perfectly valid. If you foresee yourself needing more than about 5 certificates (depending on price) then it's probably better and easier to go with a standard certificate.

    Most CAs will let you choose a domain name and a single subdomain for standard certificates, e.g. example.com and secure.example.com, or example.com and www.example.com.

  3. #3
    you need a wildcard certificate when you want to use it on multiple subdomain. but if you will have only one domain and one subdomain then two root certificate will also do the trick.

    you do not need wildcard unless until you want to cut down on the cost for using same cert on multiple subdoamin.

Similar Threads

  1. Replies: 11
    Last Post: 04-09-2011, 02:48 AM
  2. Replies: 0
    Last Post: 03-26-2011, 12:29 AM
  3. AlphaSSL/GlobalSign SSL Certificate Sale! Wildcard Certificates as low as $30/yr!
    By GarrisonHost-John in forum Other Web Hosting Related Offers
    Replies: 0
    Last Post: 03-23-2011, 01:07 AM
  4. AlphaSSL/GlobalSign SSL Certificate Sale! Wildcard Certificates as low as $45!
    By GarrisonHost-John in forum Other Hosting Offers
    Replies: 1
    Last Post: 03-19-2011, 01:41 PM
  5. SSL Certificates from $10.00 Year / Multi Server Wildcard Certs from $135.20 Year
    By AndyGambles in forum Other Web Hosting Related Offers
    Replies: 0
    Last Post: 02-12-2007, 09:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •