Individual or Wildcard SSL which one is better


#1

Hi, We are using Ubuntu 16.0.4 LTS with apache 2.4. We have 60 subdomains hosted on same server and we are using LetsEncrypt SSL successfully but each subdomain’s SSL is generated individually because we were unaware of wildcard certificate. Now we are thinking to use wildcard certificate, question arises that shall we use wildcard certificate, is there any problem associated with it or we can just revoke all certificates and go to wildcard without having any doubt?


#2

Hi @AKarimKazi

there is no problem using wildcard certificates. But: Wildcard certificates requires dns-01 - validation, a dns txt entry

_acme-challenge.yourdomain.com

with a special value. New certificate -> new value.

So your dns provider should support an api. If not, it’s painful.

You should not revoke the certificates used. Revocation is only required if the private key is lost, stolen etc.

So you have a backup.

It’s no problem to use

  • 60 subdomains - one certificate per subdomain with one name,
  • creating one certificate with 60 domain names (SAN-certificate), used with 60 vHosts,
  • creating one wildcard certificate used with 60 vHosts.

So if your dns provider doesn’t support an api, I wouldn’t use a wildcard certificate.


#3

Thank you for your quick response.

This means that if I use wildcard certificate now, despite the fact that 60 sub-domains are already shifted to individual SSL letsencrypt certificate. If I run wildcard certificate now, will it replace the individual certificate?


#4

That depends on how you would install said wildcard certificate. Which softeware you’re using. Did you manually install the 60 separate certificates? Or did some software do it for you?


#5

I have installed the SSL certificate using following command

sudo certbot --apache

the above command just list down all the sub domains and I have installed it one by one. Now every vhost file is linked with its ssl/private key combination and it is also checked that those domains are updating successfully and automatically within 90 days. OS used is UBUNTU 16 LTS.

But now I am concerned to use wildcard certificate rather than individual certificates.


#6

Are all those subdomains of the same single “main domain”? Or is it a mix of several subdomains for a multiple of base domains?


#7

If you have a single configuration file with all vHost - definitions, you may edit the configurations directly.

Look there:

Another user has a self signed certificate, created a certificate with

certbot certonly

then changed

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

with the ne files -> that worked.


#8

One base domain and its multiple subdomain


#9

Each subdomain has its own vhost file.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.