I have a reverse proxy which caters my 6 domains. I successfully setup an ssl using letsencrypt certbot on my reverse proxy.
I've checked all my domains and it is ssl enabled. But I notice that all my 6 domains certificates is issued to just only one of my server. Let's say that my domain1 domain2 domain3 domain4 domain5 and domain6 has ssl. But when I verify the certificate, it is issued to domain1 only. domain1 upto domain6 has a single ssl certificate issued to domain1. Is this normal?
Well, it sounds like Certbot has created a single certificate, which has a Common Name of domain1 and Subject Alternative Names of domain1, domain2, domain3, domain4, domain5, domain6.
This is normal.
If you want to have 1 certificate per domain and your reverse proxy supports that, Certbot can do that too.
It's perhaps unfortunate that the Common Name is made the focal point. The X.509 certificates we use today weren't originally intended for the Internet at all, they're part of the X.500 system, a global directory which was never built. In that system the certificate would have one human readable "Common name" for the subject, such as "Steve Jobs" or "The White House" that would just be a convenient label for humans.
When X.509 was re-purposed for the Internet last century by the Netscape Corporation, the Common Name was re-used to write a DNS name, but that's a bit clumsy because it's a human readable field whereas DNS names are machine names, and also because a certificate is only supposed to have one Common Name, and it's annoying to need a separate certificate for each name. So when this was standardised as PKIX the DNS names are given their own way to be represented, as one or more Subject Alternative Names (SANs). Since lots of people already had certificates with DNS names filled in as a Common Name, this was grandfathered in, for a long time. But today common software like web browsers doesn't actually even glance at the Common Name, it's mostly there for humans to look at, your browser just checks that the certificate has a SAN matching the Fully Qualified Domain Name in the URL.
If you have some pretty old cranky software you might need to have separate certificates, one for each name, but if it's for web sites or most modern software it's up to you whether it feels appropriate to have one certificate or many and in a reverse proxy one certificate is likely easiest.
It's normal but I wont have a problem later on right? And is this advisable? Or do I need to setup a 1 certificate per domain?
That's too much for me to analyze right now. I need to research more regarding your content. Thank you very much.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.