SSL certs wildcard domains across different hosts

[mobcdi]

I have a number of hosts all in the same domain "name.company.tld" with 1 of them hosting the website for name.company.tld

I would like to use 1 cert *.name.company to avoid having to get individual certs but was wondering if i can use the same cert across a number of hosts to both sign the host and some of the websites they host?

All certs will be from the same CA but wanted to check before going further

[mobcdi]

Is it just a matter of using the correct key when i go to install the certs across the different hosts and hosted site?

[GaryT]

Someone correct me if I'm wrong but, If a user wants SSL certificates, They must have there own dedicated IP for this to work ?

[mobcdi]

Not sure but have dedicated ip addresses for hosts and the website

[cPanelTristan]

You can install a wildcard SSL onto the main shared IP, but it will end up installing as the user nobody and have to be manually modified to change it if you want to have additional subdomains on the SSL certificate.

The modification would be in /var/cpanel/userdata/nobody location to copy the existing *.domain.com_SSL to /var/cpanel/userdata/username location (replacing username with the actual username for the domain account), then changing it to match the subdomain name and modifying the paths to the user and changing nobody to the username.

Here's an example of what the /var/cpanel/userdata/nobody/*.mydomainisgreat.com_SSL file would look like that needs modified:

Code:

documentroot: /home/username/public_html
group: nobody
hascgi: 1
homedir: /usr/local/apache/htdocs
ip: #
owner: root
phpopenbasedirprotect: 0
port: 443
serveradmin: webmaster@mydomainisgreat.com
serveralias: "*.mydomainisgreat.com"
servername: "*.mydomainisgreat.com"
ssl: 1
sslcacertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.cabundle
sslcertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.crt
sslcertificatekeyfile: /usr/share/ssl/private/*.mydomainisgreat.com.key
sslengine: 'on'
usecanonicalname: 'Off'
user: nobody

The lines needing changed would be these:

Code:

group: nobody
homedir: /usr/local/apache/htdocs
user: nobody

Sometimes, the documentroot: line also needs changed if it isn't pointing to that user's /home/username/public_html path.

The nobody user would be changed to the username for the cPanel account with the subdomain, while the homedir would be /home/username instead.

So, let's say you have pandas.mydomainisgreat.com as the subdomain needing the wildcard SSL on the great cPanel username account, you'd do:

Code:

cp /var/cpanel/userdata/nobody/*.mydomainisgreat.com_SSL /var/cpanel/userdata/great/pandas.mydomainisgreat.com_SSL

Then in the copied file, you'd change it to the following:

Code:

documentroot: /home/great/public_html/pandas
group: great
hascgi: 1
homedir: /home/great
ip: PUT.IP.ADDRESS.HERE
owner: root
phpopenbasedirprotect: 0
port: 443
serveradmin: webmaster@mydomainisgreat.com
serveralias: "www.pandas.mydomainisgreat.com"
servername: "pandas.mydomainisgreat.com"
ssl: 1
sslcacertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.cabundle
sslcertificatefile: /usr/share/ssl/certs/*.mydomainisgreat.com.crt
sslcertificatekeyfile: /usr/share/ssl/private/*.mydomainisgreat.com.key
sslengine: 'on'
usecanonicalname: 'Off'
user: great

At that point, you'd then save the file, copy Apache as a backup, rebuild Apache configuration and restart Apache:

Code:

cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak101013
/scripts/rebuildhttpdconf
/etc/init.d/httpd restart

That's how you get a wildcard subdomain SSL certificate working on a shared IP when installed for the user nobody. You should then be able to do the same for any subdomains on that domain on other accounts so long as you modify the paths and user properly for each.

[mobcdi]

When I create the SSL cert request using WHM "Generate a SSL Certificate and Signing Request" should i name the domain *.mydomain.tld or mydomain.tld so it will work across mydomain.tld and dom1.mydomain.tld ...domN.mydomain.tld ?

[cPanelTristan]

You should name it *.mydomain.tld for the CSR (Certificate and Signing Request) generation.

[mobcdi]

And when I'm installing the *.mydomain.tld cert should I list the actual specific domain its applying
e.g. enabling whm ssl access to dom1.mydomain.tld or leave it as *.mydomain.tld in the "domain this CRT is for" field

[cPanelTristan]

When you install the SSL onto the user nobody, you'll need to install it onto the wildcard as that first SSL needs to be owned by the wildcard and nobody. Subsequent SSLs for the various subdomains will then need to be manually installed using the method I detailed above.

[mobcdi]

i probably mis-understood the instructions but they seem to be directed at sites that share the same IP address. I have/ will have separate IP addresses for host, domain and sub domains

Apologies if I didn't pick it up correctly

[cPanelTristan]

If you will have different IPs for each domain, then you can install each in WHM using the subdomain name for each that will have their own SSL on their own IP for the wildcard SSL. The first SSL installation needs to be for the wildcard SSL itself, though, so you would need to install *.mydomain.tld first

[mobcdi]

So I would "install & setup the domain in these order

1. *.mydomain.tld
2. mydomain.tld
3. dom1.mydomain.tld
4. dom2.mydomain.tld
5. ....

Or is it recommended that *.mydomain.tld ssl be installed on the website mydomain.tld with the user nobody

[cPanelTristan]

You don't need to install it for the mydomain.tld website under the user nobody, you can simply install the wildcard first as the user nobody and then each subsequent SSL as its own user provided each has a different IP. This means that subdomains must be on their own account with their own IP for each in order to install them via WHM.

[brentc]

Okay, so I have been trying to follow along with this. Let me see if i've got it right...

Ultimately we'll want to have SSL (https://) installed for a main domain and any subdomains. So, should we have created the initial SSL for the main domain as *.maindomain.tld instead of just maindomain.tld? That seems fine, but what if you didn't anticipate ever using a subdomain? Are we forced to reinstall a new SSL?

[cPanelTristan]

If you are going to get a wildcard certificate, which inherently costs more than a regular SSL, you need to generate the CSR and key for *.maindomain.com rather than for maindomain.com before purchasing it. If you then later don't use it for any subdomains, you would still be able to use it on maindomain.com and www.maindomain.com

If you didn't create the CSR and key for *.maindomain.com, then I suggest regenerating it prior to purchase.

If you aren't actually going to use it on any subdomains, you might as well not purchase a wildcard SSL. As I mentioned, they cost more and the only reason to pay the additional costs would be if you are going to use it.