Server and SSL domain mismatch

Hello,

Apologies as this is more of generic query but would really appeciatte it if someone could give any guidance, or advise where I can educate myself on this topic.

We have a collaberation server that is named meeting.company1.com, I have been given a certificate for the FQDN meeting.company2.com that need to be installed on this server.

The question is, can the certififcate and server be on two different domains or do they need to match?

Thanks in advance.

1 Like

If you are talking about a web server, it is very common for it to have many (completely different) certs.
So long as the names resolve to an IP on that server, it will do its' best to respond with the correct content.

1 Like

Certificates (and the corresponding private key) are just files: they can be shared among servers as you please. However, the whole idea behind the "Public Key Infrastructure" is that the connecting client will match the hostname used with the hostnames embedded in the certificate.

So you can easily share a certificate for, let's say, hostname A between servers X and Y. And if a client tries to connect to hostname A and ends up actually connecting to server X, this would be fine, as server X has the certificate for hostname A. But if a client would connect to hostname B and would end up at server Y, also using the certificate for hostname A, this would result in an error, because A is not equal to B.
Now, there are of course some situations where sharing certificates between servers is required, for example, if you have multiple servers for a single hostname/site, used for load balancing. And you can add multiple hostnames to a single certificate, which you then might share between multiple servers responsible for those hostnames. The bottom line is: the client connects to a hostname and that hostname has to match with the certificate presented by the server.

Now, to get to your question:
Will clients connect to the company2 server with the hostname for company1? Can you present perhaps more details? It's a little bit vague now to me.

1 Like

Thanks for the replies, I accept this is a little vague but think you have answered my question.

To clarify, the server name is meeting.company1.com with IP address 1.2.3.4, clients will connect to FQDN meeting.company2.com which resolves to 1.2.3.4, the wildard I have been given to install on server meeting.company1.com is for the domain *.company2.com.

I have have never had to install our application before on a server that is on a different domain to the FQDN/certificate so I was unsure if it was possible.

*wildcard certificate

So you have two servers behind a single IP address, correct?

In any case, if you have a certificate for just *.company2.com, clients should be able to connect to meeting.company2.com, but not meeting.company1.com.

Thanks again,

Its just one server which is on the company1.com domain behind address 1.2.3.4,

I'll be adding a web certificate on this server for *.company2.com, end users will connect to meeting.company2.com that resolves 1.2.3.4

It is now my understanding this 'should' be okay.

Well, if you put it that simply: yes.

With aid of something called server name indication webservers can send the correct certificate to the client based on the hostname the client is connecting to.

2 Likes

Does anyone else find that a bit... strange?
I mean, why would company2 give company1 the keys to its' wildcard cert?
Is it doable? SURE.
Is it safe/normal/sane? Well.. not exactly the best solution from where I'm sitting.

The fact that meeting.company2.com points to an IP operated by company1 means that company1 can easily get a cert for that name.
Why would company1 even need a company2 wildcard cert? To save money, company2 already paid for the wildcard cert.
NEWSFLASH: Certificates are now FREE!
And that would mean that company1 is using that cert elsewhere (as much as possible - to save money)!
This "setup" would fail the most basic security review.

Please don't accept their wildcard cert (just yet).
Tell them you will try to handle this without it... and that you will get back to them (if needed).
And take the sane path (IMO) and just get a new (FREE) cert for the exact name being used.

Both company1 and company2 are brand names that are part of the same wider organisation.

I wanted to know if the domain of the server AND certifcate need to match? I understand the answer is NO.

Thanks again for your input, its much appreciatted.

1 Like

BrandName1 & BrandName2 is quite a different thing than Company1 & Company2.
So some of the weight (in my head) has been lifted :wink:
That said, certificates are essentially FREE.
So no one should have to be reusing certs (esp. in dissimilarly secured systems/areas).

People always say stuff like: "Why would anyone want to break into this insecure system?"
One really bad answer is: "It contains copies of the keys used by a much more secure system."
[i.e. Don't use the same password everywhere you go. - Certs/keys are not much different than that.]

Bad wording on my part, and I take on board what you are saying.

1 Like

@rg305 But if it's the same server with just different hostnames, it doesn't matter :slight_smile:

You are going to have to complete that sentence for me.
If I have to use my imagination on what "IT" is... I doubt we will be thinking about the same thing.
What doesn't matter?

What matters to me is that any single wildcard cert not be used to secure every type of system in any network (unless they are all equally trusted/protected - and even then why? [again certs are FREE - even the wild ones]).

And a complete aside question: Is there any way to underline text here?

If the certificate stays in the same server, but is being used for multiple hostnames, it doesn't matter. The hostname sharing.

That said, the OP does suggest the cert is coming from outside the mentioned server.. No idea from where though.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.