DNS – Do I Need a Separate SSL Certificate for a DNS Redirect?

cname-recorddns-zonedomain-name-systemsslssl-certificate

I am implementing a multi-tenant application where my application hosts and serves technical documentation for a tenant's product.

Now, the approach that I was considering was – I host the documentation at docs.<tenant>.mycompany.com and ask my tenant to setup a CNAME DNS record to point docs.tenantcompany.com to docs.<tenant>.mycompany.com.

I want to the site to be SSL-enabled with my tenant's certificate. I wanted to understand if I my tenant company has a wildcard SSL certificate, will it work with this setup or will a new SSL certificate have to be purchased for docs.tenantcompany.com?

Best Answer

The certificate name must match what the user entered in the browser, not the 'final' DNS record. If the user enters docs.tenantcompany.com then your SSL certificate has to cover that.

If docs.tenantcompany.com is a CNAME to foo.example.com, the certificate does not need to cover foo.example.com, just docs.tenantcompany.com.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Ssl – Use Wildcard SSL with Amazon EC2 instance, secure.thedomain.com -> EC2 instance

I was able to accomplish this by installing my SSL onto an Amazon Elastic Load Balancer instance and pointing it to my EC2 instance. Thanks to the folks on Stack Overflow for quickly offering solid advice on the matter.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Ssl – Use Wildcard SSL with Amazon EC2 instance, secure.thedomain.com -> EC2 instance

Related Topic