• 14

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

What kind of SSL Cert do I need and where do I get it?

I want to have subdomains with SSL within my domain. The main difference is that each subdomain is hosted by a different person with a different public key/private key pair.

Let me illustrate with an example:

  1. User send his public key and requests subdomain from foo.com
  2. User is added and assigned subdomain bar (bar.foo.com). Users public key is stored for future validation against bar.foo.com
  3. User goes to bar.foo.com and see's a validated SSL connection.

From what I gather, this means that I need to create a CA, which is fine. The problem is that from what I recall, a CA needs a special sort of SSL Cert. How do I go about getting this?

      • 1
    • Who do you need to be able to validate these certificates? Is it just to do SSL within a select group of end-users, or are these subdomains going to engage in SSL with random people over the public internet?

Given your answer to my comment above, I agree with Ladadadada. Creating a CA is easy, but getting other people to trust it is hard: either you need to distribute your CA root certificate to each of them (which you can't do, as you've confirmed they're random end-users), or you need to get the browser makers to include it in their standard trusted bundle (and good luck with that).

Since you don't want to just tell each subdomain owner to do it themselves, your only remaining option that I can see is to get each subdomain owner to generate a CSR, and then you act as a central clearing house, submitting each of these CSRs to a certification authority.

Many of the big SSL certificate houses have a policy whereby you can go through a one-time lengthy process to establish yourself as authoritative for (eg) example.com, but once this is done, applications you make for anything inside example.com apparently go through very quickly indeed.

I don't use Verisign (or Symantec, as they now are) and wouldn't endorse them here even if I did; I link to them simply so you can see one example of such an arrangement: Symantec's portal to getting yourself established as authoritative for a domain ("key features" include "Instant issuance of certificates on pre-approved domains"). If you decide to take this route you should shop around and choose an SSL certificate issuer that's right for you.

  • 4
Reply Report

You could go about this two ways, neither of which involve you becoming a CA. (I suppose becoming a CA is a viable option too, it just doesn't help solve your problem and it comes with added expense and risk.)

  1. Get a wildcard certificate and distribute it and the associated private key to all the people hosting all the subdomains of your site.
  2. Get each person hosting a subdomain to get their own certificate, just for their subdomain. These can be cheap or even free.

Option 1. comes with the obvious risk of distributing your private key to many people. If it gets out, you will want to have your CA issue a revocation which often costs money. Option 2. means going through the process of getting a new certificate each time you create a subdomain. This won't be quick but it should be in the order of a few hours.

  • 2
Reply Report
    • 1. I cant do that because I cannot trust users. 2. I cannot do because it is an unacceptable policy for me to tell users to get their own certs.

Trending Tags