I have a webservice which provides simple site constructor functionality with payment page.
User can select purchase domain e.g. user.com, select some template and point this domain with CNAME to my webservice e.g. site.constructor.com.
And there are a lot of such user's sites, and all they point to the site.constructor.com.
Webservice site is covered with wildcard certificate *.constructor.com, hosted on AWS and SSL certificate is applied to the Load Balancer HTTPS handler.
Now when anyone navigates https://user.com he gets appropriate content from sites.constructor.com, but before that he receives warning window, that user.com doesn't contain correct certificate (because host certificate become used).
And now I need to make https://user.com secured, but can't understand how to do that.
I have no any load balancer configuration, or webservice configuration for this domain. the only entrance is CNAME and DB record with user domain name. So I can't even simply purchase a new certificate for user domain and apply it.
What is the best way to secure CNAME domain?
UPD.1. user's domain access flow
1. Navigate _https://user.com_
there is only domain control panel with CNAME which points to the _site.constructor.com_
2. call to the AWS load balancer of _site.constructor.com_ with applied SSL (SSL is NOT for _user.com_)
3. access to the EC2, etc...
Where should be user.com certificate be applied? is that possible to use self-generated certificate in this case for user.com?
Best Answer
There being a
CNAMErecord rather than a direct address record (A/AAAA) is not a factor. The certificate verification is based on the hostname in the location URL.For navigating to
https://example.com/to work, you would need a certificate that is valid forexample.com. Ie, a certificate that either hasexample.comas the Subject CN (Common Name) or that hasexample.comin its SAN (Subject Alternative Name) list.