• 7

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

TLS certificates for various domains in organisation

At our organisation we have one main domain plus a few other secondary domains, which are not subdomains of the former. Something like this:

  • Main domain: mycorp.org
  • Secondary domain: another.org
  • Secondary domain: yetanother.org

We are hosting various web sites on these domains on our own server, using Windows Server and IIS.

We would like to deploy TLS certificates for all domains. From my preliminary research, I gather than most certificate vendors offer company-wide certificates that cover any subdomain from a given one, such as *.mycorp.org, but this wouldn't work for us as we work with totally different domains. In principle I would think that we need multiple single-domain certificates, but as I don't have much experience with certificates, I would like some expert advice:

  1. Do we really need to get separate single-domain certificates?
  2. Can we deploy multiple certificates (one per domain) on to the same IIS server, which is hosting all the web sites?
  3. Is there any additional best practice or recommendation I should be aware of in this setting?

Many thanks.

    • You can have a single certificate cover unrelated names like yours, but I strongly suggest to instead use 3 separate certificates. Otherwise the fate of all 3 names is shared: to generate the certificate with the 3 names the CA has to validate each name at the same time. If any does not work then either the certificate is not generated at all or generated with only 2 out of 3 names. There are ample solutions to monitor certificates so having 3 instead of 1 is not a problem. (Just leaving that as a comment because I have no idea to reply to your point 2 about IIS)
      • 1
    • For item #2: In general, you can install as many certificates as you want on your IIS server. You can then bind one certificate to each site, based on whatever hostname the site is listening for.

1- To host multiple domain names with a single certificate, you will need to use Subject Alternative Names. SANs allow you to specify several hostnames for an SSL certificate. So you could have mycorp.org, www.mycorp.org, another.org, yetanother.org, test.yetanother.org, etc. Some certificate vendors have their own limitations, but generally you should be able to have sites with wildcards and several dozen hostnames listed on a single certificate.

You can see SANs in action by going to www.google.com, then view the certificate details for google.com and view the Subject Alternative Names values. You can see google has several extra domains in their cert.

2- Yes, you can have several certificates on a single server, each certificate can be assigned to specific IIS sites via the Bindings settings for each site.

3- It is pretty common practice to use SANs, but as others have mentioned you do somewhat have more secure eggs in one basket. Something happens to that basket and all those eggs are busted.

  • 3
Reply Report

Trending Tags