I am very new to installation of certificates and AWS itself altogether. Now, in my current infrastructure I have 3 ELBs that are in a VPC.
I have purchased a wildcard ssl certificate from COMODO through Big Rock.
What I want is that all the communication between my ELBs and the external world should be over HTTPS.
- How can I achieve this ?
- Can I install the one wild card certificate that I have on all the
three ELBs ? - Is there a better way of doing it ?
- Also since it is a wild card certificate that I have, I would not be
able to use it for api.example.com but not for example.com itself
(as per my understanding). However, what is visible to the external
world is example.com for now (and not really api.example.com) So do
I need to purchase another certificate for the above scenario ? - Which type of certificate (I read about UCC SSL Certs
here)should I go with, given that I also have example.in as a
domain as well where the same site is hosted.
Please pardon my ignorance on the matter.
Best Answer
Completely disabling plain HTTP is usually not on option, but can configure your webservers to (permanently) redirect any unencrypted request from
http://...
tohttps://...
There is no technical reason why you couldn't.
Yes a wild-card for
*.example.com
is only valid for<valid_hostnames>.example.com
and neither for plain/nakedexample.com
nor*.*.example.com
will work. See this Q&A for the details.Technically it's possible to also include the plain domain with the wildcard certificate via a Subject Alternative Name extension, making the certificate valid for both
*.example.com
andexample.com
but which SSL resellers do that automatically I don't know. So you may not need another (replacement) certificate at all.You can check with
openssl x509 -in certificate.crt -text -noout
which will yield something similar to when SubjectAltNames are present:If that is not the case you may need another certificate to be able to use the bare domain in addition to your current wildcard. Server Name Indication (SNI) is what would be required to use two different SSL certificates and have them to work correctly on a single ELB instance.
ELB supports multiple TLS certificates using SNI -
ALB supports mutiple TLS certs using SNI
NLB now supports multiple TLS certs using SNI