Wildcard SSL Certificate and IP Address(es)

[andyledford]

We are wanting to install a wildcard cert to cover subdomains at our domain, but are truly confused about the need or lack of need for separate IP addresses for each subdomain. We have seen some sources that claim separate IPs ARE required, while others say the opposite. We have found postings on this forum in which a cPanel moderator has said separate IPs are NOT required; however, the WHM documentation at: https://documentation.cpanel.net/display/ALD/Purchase+and+Install+an+SSL+Certificate says:

------
What is the difference between a wildcard and a webserver certificate?

Webserver certificates only allow you to secure a single domain. Wildcard certificates allow you to secure a domain and an unlimited number of subdomains. For example, if you want to secure store.example.com and blog.example.com, you can use a single wildcard certificate to do so. However, each subdomain will require its own dedicated IP address.
------

So, what is the real story? Is the cPanel answer in "SSL certs wildcard domains across different hosts" correct? If so, what is meant by the statement in the WHM documentation?

Thanks.

 

[cPanelMichael]

Hello

Dedicated IP addresses were required in the past. However, starting with cPanel version 11.38, servers that support SNI (CentOS/RHEL 6) can assign SSL certificates to multiple accounts/domain names without the need of a dedicated IP address. This is reflected here:

SSL FAQ

Note: An internal case is open to correct the document that you referenced. For reference, that case number is 76981.

Thank you.

 

[andyledford]

Whoa! That was quick! Thanks for the prompt reply. If I can trouble you for some more info, I'd like to expand on our situation. Our OS is CentOS 5.10 x86_64 standard, our openSSL is 0.9.8e, and our Apache is 2.2.26. We have cPanel/WHM 11.42.0. I have read that openSSL 0.9.8f (some say "j") or higher is required for SNI; the news that a newer version of our OS is also required is "news". In any event, I have also read that older browsers, particularly IE on Windows XP, do not support SNI. Assuming all of that to be true, it doesn't look to us like SNI would be an option.

How does that information affect your answer?

Thanks

 

[cPanelMichael]

While manually upgrading OpenSSL on your system may provide support for SNI, it's not something we can provide support for. Ideally, you should use a supported OS for SNI such as CentOS 6. You can find details about compatibility with SNI itself (E.g. IE on Windows XP) at:

Server Name Indication - Wikipedia, the free encyclopedia

Per the details you provided, I suggest upgrading/migrating to a server that supports SNI natively such as CentOS 6 if you plan to use it. Otherwise, you will need to ensure you assign a dedicated IP address to each domain name or subdomain that requires it's own SSL certificate. If you plan to go that route, this document may be of help:

Assigning Dedicated IPs to Subdomains

Thank you.

 

[andyledford]

I think we talked past each other. We want to apply a wildcart cert and need to know if we must have separate IP addresses for each subdomain to be covered by the cert. We have a plain vanilla cert covering 'example.com'. We want to replace that cert with a wildcard so that 'sub1.example.com' and 'sub2.example.com' are covered. At present, we have only one IP address that routes to 'example.com' and all subdomains on that domain.

Thanks

 

[robb3369]

Since you are on Centos 5.x, you need to migrate to a server with Centos 6.5 to be able to take advantage of SNI and a neat tool in cPanel to basically "copy" the cert from one website to another. If the accounts are for the same user, that user can do this within their cpanel, but if on different cpanel accounts, the root admin needs to do in from within WHM.

You can do the same thing on your current config, but will need 2 ip addresses. on each site sub-domain just use the same private key, certificate and ca-bundle (if needed)...

 

[cPanelMichael]

I think we talked past each other. We want to apply a wildcart cert and need to know if we must have separate IP addresses for each subdomain to be covered by the cert. We have a plain vanilla cert covering 'example.com'. We want to replace that cert with a wildcard so that 'sub1.example.com' and 'sub2.example.com' are covered. At present, we have only one IP address that routes to 'example.com' and all subdomains on that domain.Thanks

My previous response was intended to provide you with the options you have. You can upgrade/migrate to CentOS 6 and use a shared IP address for wildcard SSL purposes, or remain on CentOS 5 and assign a dedicated IP address to each subdomain.

Thank you.

 

[andyledford]

I appreciate the responses. I'm amazed that this topic can generate so many different perspectives, approaches, and proposed solutions -- as evidenced by the number of forum postings (just on the cPanel forums; not to mention on the Internet as a whole) with topics that include "wildcard SSL", "dedicated IP", "shared IP", and so forth.

In our case, we want to install a wildcard certificate on a single domain under a single user so that the subdomains of the single domain are covered, and we want to use a single, dedicated IP that routes to the domain and all of the subdomains. We cannot use SNI -- even if our configuration supported it -- because SNI is not supported for IE users on XP.

I think I found the answer to our original question at The cPanel Admin. In the article at that location, the author says:

Us administrators eventually come to the realization that when you have a wildcard SSL certificate for 40 subdomains, you can’t practically have separate IPs and cPanel accounts for all of them. If you have a wildcard SSL certificate for all your subdomains, you can easily install the certificate on a single IP address for all the subdomains. For this particular scenario to work:

- All subdomains must be on the same IP and cPanel account
- You must have a wildcard SSL qualifying for *.tld.com

For us, both conditions would be met, so it looks like we can purchase a wildcard cert through WHM, let WHM install it, and have all of our subdomains covered by the cert. If there is some "fine print" or an asterisk that would say "Yeah, in most cases that's true, but in your case..." so that our desired approach will NOT work, we really need to hear about it.

Again, thanks to all who took the effort to reply. I just wish this supposedly-simple setup was not open to so much variation and interpretation. We have a ticket into Trustwave as well on this same topic, so I will post their response here when I receive it.

 

[robb3369]

In our case, we want to install a wildcard certificate on a single domain under a single user so that the subdomains of the single domain are covered, and we want to use a single, dedicated IP that routes to the domain and all of the subdomains.

Ok, now that can be done -> What is wildcard SSL

Once you get your SSL certificate setup on the first site, you'll end up with a Private Key, the Site Certificate and an optional CA-Bundle. Copy all three of these items to notepad so you can paste them into each sub-domain SSL configuration as described here -> Manually enter certificate information

I have not done this type of configuration in a while, but I remember it not working correctly and we had to resort to copying and renaming the actual *.crt and *.key files to the correct sub-domain name (site1.domain.com.crt and site2.domain.com.crt even though they are exact same wildcard certificate) to get things recognized in cPanel to get the SSL settings enabled.

Hopefully this helped somewhat...