Multiple certs with a SAN: How can I change the "main" domain?


#1

My operating system is (include version): Debian 8.5
My web server is (include version):Apache 2.4.10

Outputs from https://www.sslshopper.com/csr-decoder.html on the generated CSRs:
for alpha:
Certificate Information:
Common Name: alpha.mydomain.fr
Subject Alternative Names: alpha.mydomain.fr
Valid From: September 5, 2016
Valid To: December 4, 2016
Issuer: Let’s Encrypt Authority X3, Let’s Encrypt
Serial Number: 03yyyyy

for beta:
Certificate Information:
Common Name: beta.mydomain.fr
Subject Alternative Names: alpha.mydomain.fr, gamma.mydomain.fr, beta.mydomain.fr, delta.mydomain.fr
Valid From: September 16, 2016
Valid To: December 15, 2016
Issuer: Let’s Encrypt Authority X3, Let’s Encrypt
Serial Number: 03xxxxx

Outputs from issuing openssl s_client -connect
# openssl s_client -connect alpha.mydomain.fr:443 -servername alpha.mydomain.fr
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = alpha.mydomain.fr
verify return:1

Certificate chain
0 s:/CN=alpha.mydomain.fr
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

#openssl s_client -connect beta.mydomain.fr:443 -servername beta.mydomain.fr
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = alpha.mydomain.fr
verify return:1

Certificate chain
0 s:/CN=alpha.mydomain.fr
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

How can I change that now?


#2

Hi Bernard,

You haven’t given a lot of clues here. What do you mean by “main” domain ? can you be a bit more specific please. Do you mean the “common name” on the certificate ? or do you mean the order of the domains in the SAN list ? or something else ?


#3

(Sorry, this was my first post and I did not realize until it was posted that it would be published as is…)


#4

Thanks, the edited version is much better :slight_smile:

Without your real domain name, I can only guess on some things.

Are you serving the correct certificate for “beta” ? it sounds as if your config could still be pointing to the original “alpha only” certificate.

Also, you only list the CN (common name ), not what the SAN list shows … so I’m not sure if it’s a valid cert ( with the CN as alpha, and beta in the SANS ) or if it’s an invalid cert

can you provide the full domain names so we can check ?


#5

Hi Andy,
thx for your patience!
B-) giving the full domain names is slightly tricky, since it involves some client names which I would prefer not to appear in this contexte ing Google’s pages!!!

BUT your were right… I had “just” forgotten to enable the site for beta…

Thx a lot!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.