SSL certificates for single domain (www. and without)
Now i want to add a new certificate so that i also have a secure connection when using no www. prefix.
What is the best action to do so?
Buy the same certificate again and use different virtual host for the domain with www. and one without? How can i accomplish this?
How would my virtualhost file look like? This is the virtualhost file I'm using now:
<virtualhost *:80="">ServerAdmin ***@domain.com
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/public/
ErrorLog /var/www/logs/error.log
CustomLog /var/www/logs/access.log combined</virtualhost>
<virtualhost *:443="">SSLEngine On
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key
ServerAdmin ***@domain.com
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/public/
ErrorLog /var/www/logs/error.log
CustomLog /var/www/logs/access.log combined</virtualhost>
9 Replies
That way you do not need separate certificates and do not need to require SNI support or have multiple IPs.
@haus:
I assume your cert is only valid for www, so adding domain.com to ServerAlias will serve pages but will give you a certificate error (because the domain "domain.com" won't match the cert domain of "
www.domain.com "). That's more a response to yangqi, though, since you indicated you'd be "adding a new cert" so it appears you know you need a new cert. A better bet might have been (or might be) to grab a wildcard certificate that would work with/without your subdomain. Otherwise you'll either need another IP address for the new cert or set up SNI, I think.
Afaik, a wildcard cert for *.example.com would not match example.com, so SAN or multiple certs would still be necessary.
@hawk7000:
Afaik, a wildcard cert for *.example.com would not match example.com, so SAN or multiple certs would still be necessary.
Yes, I was apparently remembering seeing a wildcard cert that uses SAN to cover the domain itself. Thank you.
If you use something like
I used to use StartSSL until they started getting squirrely saying that any donation page made the site commercial even though it was using PayPal as the processing using it's own SSL certs. The NameCheap ones can be reissued for no extra cost ($25 for StartSSL) and are only around $9 a year).