SSL certificates for single domain (www. and without)

I recently bought a certificate (Thawte SSL 123 Certificate 256 Bit - domain validated) from Hetzner for a domain with www. prefix.

Now i want to add a new certificate so that i also have a secure connection when using no www. prefix.

What is the best action to do so?

Buy the same certificate again and use different virtual host for the domain with www. and one without? How can i accomplish this?

How would my virtualhost file look like? This is the virtualhost file I'm using now:

 <virtualhost *:80="">ServerAdmin ***@domain.com

        ServerName domain.com
        ServerAlias www.domain.com

        DocumentRoot /var/www/public/
        ErrorLog /var/www/logs/error.log
        CustomLog /var/www/logs/access.log combined</virtualhost> 
 <virtualhost *:443="">SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key

        ServerAdmin ***@domain.com

        ServerName domain.com
        ServerAlias www.domain.com

        DocumentRoot /var/www/public/
        ErrorLog /var/www/logs/error.log
        CustomLog /var/www/logs/access.log combined</virtualhost> 

9 Replies

add domain.com to the ServerAlias

I assume your cert is only valid for www, so adding domain.com to ServerAlias will serve pages but will give you a certificate error (because the domain "domain.com" won't match the cert domain of "www.domain.com"). That's more a response to yangqi, though, since you indicated you'd be "adding a new cert" so it appears you know you need a new cert. A better bet might have been (or might be) to grab a wildcard certificate that would work with/without your subdomain. Otherwise you'll either need another IP address for the new cert or set up SNI, I think.

If you have mod_rewrite enabled you can always modify the config force www.

If you are talking about eg "www.example.com" and "example.com" you would normally get a single certificate with an extra name specified as a "Subject Alternative Name". (The specific example above is actually often provided at no extra cost by the CA.)

That way you do not need separate certificates and do not need to require SNI support or have multiple IPs.

@haus:

I assume your cert is only valid for www, so adding domain.com to ServerAlias will serve pages but will give you a certificate error (because the domain "domain.com" won't match the cert domain of "www.domain.com"). That's more a response to yangqi, though, since you indicated you'd be "adding a new cert" so it appears you know you need a new cert. A better bet might have been (or might be) to grab a wildcard certificate that would work with/without your subdomain. Otherwise you'll either need another IP address for the new cert or set up SNI, I think.

Afaik, a wildcard cert for *.example.com would not match example.com, so SAN or multiple certs would still be necessary.

@hawk7000:

Afaik, a wildcard cert for *.example.com would not match example.com, so SAN or multiple certs would still be necessary.

Yes, I was apparently remembering seeing a wildcard cert that uses SAN to cover the domain itself. Thank you.

StartSSL offers free class certs with the root domain + 1 subdomain. If the one you purchased doesn't, it might be worth looking at them.

The single certs I get from Namecheap using PositiveSSL Comodo SSL's include both the cn like https://www.example.com https://example.com and Both are included in the cert.

If you use something like https://www.ssllabs.com/ssltest/analyze.html you can get a good analazation of what your server is configured for (The cert, protocols, ciphers) etc… It will show the common names and the alternative names in the top cert section.

I used to use StartSSL until they started getting squirrely saying that any donation page made the site commercial even though it was using PayPal as the processing using it's own SSL certs. The NameCheap ones can be reissued for no extra cost ($25 for StartSSL) and are only around $9 a year).

I wasn't aware StartSSL didn't allow commercial use. Glad I found out about that before using it on a commercial site. I just bought a Comodo from Namecheap. I love them for domain registrations/dns, they're great.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct