Wildcard certificate alongside a standard single domain cert


#1

the operating system my web server runs on is (include version): Ubuntu 16.04 LTS

My hosting provider, if applicable, is: Squarespace

I can login to a root shell on my machine (yes or no, or I don’t know): Ubuntu Yes | Sqaurespace no

My question:
I have a question about ssl certificates. we are in the process of using Letsencrypt certificates for azuread. which requires a wildcard certificate.
We already have a website hosted with Sqaurespace that use letsencrypt as main SSL provider (no option to control this unfortunately)

I would like to know if a wildcard certificate will not affect the normal certificate which is issued for @ and www for our domain.


#2

The only way in which they could potentially affect each other is if either Squarespace or you issue a lot of certificates, it may cause rate limiting against your domain which would prevent further issuance of certificates for a period of time.

You can read more here: https://letsencrypt.org/docs/rate-limits/

I do not think Squarespace would make this error, as their system is automated and has been in production a while, so it is mostly up to you to not accidentally issue many certificates in a short period of time.


#3

oke thanks was my idea as well but had some doubts about it… as if a wildcard would override the normal certificate and break the website… thanks for this reply :slight_smile:


#4

Basically in the web PKI, individual certificates don’t “contradict” each other. Each certificate is considered an independent assertion that a particular key is OK for a name or set of names, but not a statement that other certificates are wrong or obsolete. We could say that the idea is, in part, that different certificate authorities might have different knowledge about why something is OK or correct during a given time period.

Only the certificate authority that issued a certificate can “contradict” it, by revoking it¹. However, issuing a certificate with different subject information isn’t the same as a revocation, and both of them will be valid concurrently. (One example use case for this is when there are different servers with the same domain name in different data centers, using different public keys. Each one can get a valid certificate for its own key, without contradicting the validity of the other one.)

¹ Also, if a browser vendor decides that a specific certificate was malicious in some way, it can blacklist that particular certificate in new versions of the browser, although this power is very rarely used.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.