Create a certificate for domain without subdomain


#1

I would like to generate a certificate for example.com and not www.example.com
Is that possible?


#2

Yes.

Without details ( what your OS is, what client you are using etc.) I can’t provide details though - hence my answer is rather lacking in specifics and detal, as your question :wink:


#3

Hi Serverco,

Thanks for the response.

I have a certificate within it I registered the domains like www.example.com, mail.example.com, ftp.example.com but not without subdomain just example.com

The DNS is pointing all to the same IP address.

I found out that some visitors are using just the domain without subdomain to visit our website.
So I changed apache conf to let also the traffic without domain thru.

That works except that the SSL certificate is not vallid in this case.


#4

Ideally you want to generate a new certificate including all the domain names ( example.com, www.example.com, mail.example.com, ftp.example.com ) if I understand you correctly.


#5

Yes. Can I change an existing certificate or do I have to create a new one?


#6

You would register a “naked domain” (example.com) the same way you you already registered the others. Just re-issue the cert and include example.com as one of the SAN’s (subject alt names).


#7

Thank yo all. I will renew the certificate


#8

If you are using certbot then use the --expand option to expand the certificate to include the additional domain name.


#9

Thanks for the tip! I will use the --expand option.
One more question I saw an example command in an other blog post with a naked domain.
It had a minus symbol before the name like -d -example.com
Do I have to put the minus symbol in front of the domainname?


#10

no, not sure why it had that, If you can provide a link I’d be interested in seeing.


#11

I tried to go thru the history of my browser to find that sample. But can’t find it anymore.
Anyway thanks for all the help.


#12

As a reminder, currently in Certbot you need to list all of the domains (the old ones and the new one) when renewing this way. If you were to use only -d example.com without mentioning the existing names, it wouldn’t work properly.


#13

Using multiple -d hosts can associate multilple hosts with a single cert. Just leave off the www.example.com to generate a cert for the bare domain.

letsencrypt certonly --agree-tos --email=your-email --webroot -w /var/www/html -d example.com

Keep in mind, this can cause all manner of subtle problems depending on your Apache config + what terminal/final link your site uses (bare domain or www).

Also keep in mind, many tools + even some broken browsers will attempt prefetching www, if www has ever been referenced. This can also cause hard to debug problems.

Due to the bare domain + www complexities, most examples show bare domain + www using the same cert.

Unless you’re a Command Line Shell Savant, best use bare domain + www for your main site certs.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.