How to install multi-domain certifcate in 11.40

[regisit]

How to install multi-domain certificate in 11.40

There's so much out-of-date, confusing and somewhat lacking information surrounding SSL certificates on WHM/cPanel that I thought I'd ask some clear and simple questions and see if I can some clear and simple answers!

Setup: we have WHM/cPanel 11.40 on a private server. This server is for the sole use of a single business and will primarily host a Magento multi-store install in a single cPanel account. There may be other Wordpress sites at a later date in their own cPanel accounts (no SSL requirement on these). The server currently has a single IP address i.e. WHM, cPanel and the Magento site are all accessed on the same IP, but with multiple domains (DNS setup externally) i.e.

sites.domain.co.uk for WHM and cPanel.
store.domain.co.uk for Magento admin
store.domain1.co.uk for Magento store 1
store.domain2.co.uk for Magento store 2

We have currently installed a single domain certifcate in WHM for sites.domain.co.uk (working fine). We now need to install a multi-domain certificate for the Magento account to cover the admin domain as well as the initial two store domains. Further stores will be added later, each with their own domains. Once put live the stores themselves will switch to a www address (instead of store.xxx).

The question is where and (exactly) how (preferably with clear steps and examples) do we set this up in the simplest and most easy to manage way possible?

My understanding so far is that if we want to have 2 certificates on the server (one single domain for WHM/cPanel) and one multi-domain for the Magento cPanel account, then we'd need to have a separate IP assigned to the cPanel account - correct? In that case how do we go about this?

Assuming we assign a 2nd IP to the Magento cPanel account then we can request and install the Magento multi-domain certifcate from within the cPanel account - correct? This certicate would cover the 3 store.domain[x] domains but not the sites.domain domain which is for WHM/cPanel itself. Is there anything else needed then other than to install the certificate? Anything still need changing in http.conf (or whatever) in this version of cPanel?

However, if we don't assign a separate IP to the Magento cPanel account then I guess we'd have to replace the current WHM/cPanel certificate with a new multi-domain certificate that covers all 4 domains - correct? In that case how do we go about this and then correctly assign the certificate to also cover the Magento cPanel account and install?

Thanks in advance!

 

[cPanelMichael]

Hello

You can actually install all of the certificates on the same IP address if you are using an OS that supports SNI (e.g. CentOS/RHEL 6). This functionality was implemented in cPanel version 11.38, and is documented at:

11.38 - Improved SSL Management System

Thank you.

 

[markb14391]

Hi,

We are worried about SNI browser compatibility, so we are looking at multi-domain (UCC/SAN) instead. But I'm not sure exactly what the "improved support for multi-domain certificates" includes, or exactly how to set this up. Can you provide any additional details?

Thanks,

Mark

 

[cPanelMichael]

You can assign a dedicated IP address to the account that requires the multi-domain SSL certificate and then install the certificate for each domain name the same way you would install a normal certificate.

Thank you.

 

[regisit]

I can confirm this is painless and works fine! I too was concerned at the SNI browser compatibility issue, so as we have some spare IPs I assigned one to the cPanel account. Then requested and installed the MDC from the account's cPanel SSL/TLS Manager as you would a "normal" single-domain certificate. Didn't encounter any issues. Once the MDC is installed, simply assign to each of the domains to be secured.

Assigning the IP was painless too and done from within WHM. Was a bit concerned at how this works in centOS/WHM/cPanel. In Windows you would first have to assign an IP to the LAN card and then to the site in IIS. But in WHM it was simply a case of asisgning to the account in WHM and it took care of the configration. Nice!

- - - Updated - - -

Just one thing for anyone else wanting to use MDC certifcates on eCommerce sites. If you want to use an Organisation Validated multi-domain certificate and also your SSL providers site seal feature, check it's supported on their MDC certificates! We initially used a Comodo OV/MDC but found out their site seal doesn't work with such certificates. This isn't clear anywhere on their site. We got a refund and went to GlobalSign and all works fine.

 

[markb14391]

Thank you for the info! If you ever add a domain to the certificate, I heard that you need to reissue the certificate at the provider, then reinstall it on all domains. Do you know if that's correct?

Thanks,

Mark

- - - Updated - - -

Also, is it possible to install both types of certs on the same IP? For example, on the server's main shared IP a multi-domain certificate covering 3 domains. And also if a customer has an existing certificate, can they install it on their cPanel account (on the same shared IP) utilizing SNI?

- - - Updated - - -

Also, can the multi-domain certificate be installed on the server's shared IP, or does it require its own dedicated IP?

 

[cPanelMichael]

Thank you for the info! If you ever add a domain to the certificate, I heard that you need to reissue the certificate at the provider, then reinstall it on all domains. Do you know if that's correct?

This depends on your specific SSL provider, but yes often times a new certificate is issued when you add additional domain names.

Also, is it possible to install both types of certs on the same IP? For example, on the server's main shared IP a multi-domain certificate covering 3 domains. And also if a customer has an existing certificate, can they install it on their cPanel account (on the same shared IP) utilizing SNI?

Yes, assuming your server supports SNI, you can install multiple types of certificates on a single account.

Also, can the multi-domain certificate be installed on the server's shared IP, or does it require its own dedicated IP?

You can install these certificates on shared IP addresses as long as your server supports SNI.

Thank you.

 

[markb14391]

Thank you!

 

[markb14391]

One followup question:

You can install these [multi-domain] certificates on shared IP addresses as long as your server supports SNI.

In this case we'd lose the benefit of the multi-domain certificate, which is better browser compatibility than SNI...right? Or would the additional (multi) domains still be served using SAN/UCC, and still have the better compatibility?

Thanks,

Mark

 

[cPanelMichael]

Multi-domain certificates can be installed onto shared IP addresses on systems where SNI is not supported. However, if your system does support SNI, and you have other certificates installed on the same IP address, then SNI is going to be utilized. A dedicated IP address may be useful in such cases.

Thank you.

 

[markb14391]

Thanks for the additional info. Our problem is that some of our hosting VPSs only support a single IP address. So it would be great if both certificate types could coexist peacefully, each with its own benefits.

I tried something, and the results were surprising(ly good). I installed a multi-domain certificate on the shared IP address. Then, for testing, I added another domain to the certificate. Then I added a separate SSL certificate (using SNI) for another cPanel account.

I was hoping that the multi-domain (UCC/SAN) certificate would continue to use that protocol on the domains it manages. I tested under Windows XP, and it appeared to work as I had hoped. The two domains under the multi-domain certificiate worked properly in IE in Windows XP (indicating that SAN was being used, confirmed by the certificate info). The SNI certificate failed as expected.

So, could this be right...if I install the UCC/SAN certificate first, it will work properly for its domains? Then SNI will only take over on domains not under the multi-domain certificate?

Thanks,

Mark

 

[cPanelMichael]

So, could this be right...if I install the UCC/SAN certificate first, it will work properly for its domains? Then SNI will only take over on domains not under the multi-domain certificate?

Based on your testing results, yes, this should occur. You can proceed with the installation and let us know if it works as intended.

Thank you.

 

[markb14391]

Thanks, will do.