Wildcard SSL certificate for several subdomains on same IP Address

[veronicabend]

Hello!

Is it possible to purchase a certificate for *.domain.com, install it on server for this domain which is on its own ip address, and have the certificate work for all subdomains on that same IP? Will it protect www.domain.com and also a.domain.com and b.domain.com ? In a way that if you access https://b.domain.com it works without redirecting to https://www.domain.com?

I would like to know if this is possible, and how I should set up SSL for it to work.

Thanks.

 

[quizknows]

I haven't set one up in a while, but if correctly installed then yes a wildcard cert is valid for all subdomains.

 

[cPanelMichael]

Hello

Yes, but keep in mind that you will need to manually install the same certificate for each subdomain.

Thank you.

 

[swbrains]

Hello cPanelMichael,

I'm also looking into installing a wildcard SSL cert on my cPanel server (Centos 7). I would like to install that wildcard cert once and have it work for all subdomains under my main domain. I was also told by a server admin that it needed to be installed manually for each subdomain, but reading the following thread in which you responded:
Wildcard SSL certificate on wildcard subdomain (reference your reply to user "vanessa")
it sounds like it may be possible to create a wildcard DNS entry for "*" in my main domain's DNS and install the wildcard cert once to cover all subdomains.

Can you clarify if this is indeed possible, and if so, provide additional detail regarding the specific installation steps necessary to have a *single installation* of a wildcard cert work for all current and future subdomains of the main domain?
Thanks!

 

[cPanelMichael]

Wildcard SSL certificate on wildcard subdomain (reference your reply to user "vanessa")
it sounds like it may be possible to create a wildcard DNS entry for "*" in my main domain's DNS and install the wildcard cert once to cover all subdomains.

Can you clarify if this is indeed possible, and if so, provide additional detail regarding the specific installation steps necessary to have a *single installation* of a wildcard cert work for all current and future subdomains of the main domain?

This is in reference to a wildcard SSL certificate with a wildcard subdomain. Typically, wildcard subdomains are used to direct requests to any subdomain associated with a domain name to a single location. Thus, if you wanted individual subdomains with their own content, you would have to install the wildcard certificate on each individual subdomain.

Note that you may find interest in the AutoSSL feature in cPanel 58 as an alternative to this, as it installs certificates for subdomains as well:

Manage AutoSSL - Documentation - cPanel Documentation

Thank you.

 

[swbrains]

AutoSSL looks very intriguing, but now I have some additional questions about this feature:

From what I read, it seems that it will only automatically install a new SSL cert if there is already an expiring one on that account, correct? If this is not the case, will AutoSSL actually generate/install a new SSL cert for all accounts (up to it's limits) after it is enabled, even accounts that don't currently have an SSL cert installed on them?

It appears there are limits (200 for cPanel-provided certs) to the number of domains that can be provided with a free certificate. What about 300 subdomains using the same wildcard cert? Would that count as one cert or is it based on the number of installations?
Is there an option to tell AutoSSL to use a single wildcard cert for all subdomain accounts rather than to generate a new cert?
What if I already have a valid wildcard cert? Can AutoSSL use that to avoid hitting its limit?

Are the free certs from cPanel/AutoSSL "self-signed" or will they be natively recognized by most major browsers?

Thanks!

 

[cPanelMichael]

From what I read, it seems that it will only automatically install a new SSL cert if there is already an expiring one on that account, correct? If this is not the case, will AutoSSL actually generate/install a new SSL cert for all accounts (up to it's limits) after it is enabled, even accounts that don't currently have an SSL cert installed on them?

It will in-fact attempt to install a certificate on domain names without existing SSL certificates. It will not attempt to replace pre-existing valid certificates that expire in more than three days.

It appears there are limits (200 for cPanel-provided certs) to the number of domains that can be provided with a free certificate. What about 300 subdomains using the same wildcard cert? Would that count as one cert or is it based on the number of installations?

AutoSSL does not utilize wildcard SSL certificates. Domain names that use valid existing SSL certificates (including wildcard SSL certificates) are automatically skipped and not counted towards the limit.

Is there an option to tell AutoSSL to use a single wildcard cert for all subdomain accounts rather than to generate a new cert?
What if I already have a valid wildcard cert? Can AutoSSL use that to avoid hitting its limit?

AutoSSL will not issue wildcard SSL certificates.

Are the free certs from cPanel/AutoSSL "self-signed" or will they be natively recognized by most major browsers?

These are signed certificates that major browsers will recognize.

Thank you.

 

[swbrains]

Thanks for the quick and thorough response! I guess my use case (600+ accounts with about 400+ using subdomains (rather than registered domains) for their account, I would have trouble if I enabled it as it would hit its limit due to trying to install all the subdomains from new, individually-generated certs for each one.

So even though AutoSSL won't issue a new wildcard cert, is there a way to have it use the valid wildcard cert I already installed on one of my subdomains (to test it)?

 

[cPanelMichael]

So even though AutoSSL won't issue a new wildcard cert, is there a way to have it use the valid wildcard cert I already installed on one of my subdomains (to test it)?

There's no native option to have it issue your own custom wildcard certificate for each subdomain under the account at this time. However, the following document explains how to install a SSL certificate via the command line using WHM API 1:

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+installssl

You could develop a custom script that installs the certificate for multiple subdomains using this API function if you are comfortable doing so.

Thank you.

 

[swbrains]

Thanks. I have written cPanel API code before so I could generate a script that installs my cert on the subdomain accounts initially.

But I imagine I'll still run into trouble when it expires, as AutoSSL will generate a new cert for the first 200 subdomains and then stop updating, leaving me with some accounts up to date, and others expired, with potentially no easy way to determine quickly which ones were not updated successfully due to the limit.

 

[cPanelMichael]

But I imagine I'll still run into trouble when it expires, as AutoSSL will generate a new cert for the first 200 subdomains and then stop updating, leaving me with some accounts up to date, and others expired, with potentially no easy way to determine quickly which ones were not updated successfully due to the limit.

You can disable the AutoSSL feature on an account to prevent this from happening via:

"WHM Home » SSL/TLS » Manage AutoSSL >> Manage Users"

Thank you.