I applied for the certificate of 1991421.cn, but I found that I can use this certificate to static.1991421.cn's services.
I am very confused, what is the difference between this certificate and the pan-domain certificate such as *.1991421.cn.
I originally wanted to apply for two certificates, 1991421.cn and static.1991421.cn, so as to use the corresponding two WEB services, but I found that 1991421.cn can be satisfied with one certificate.
~~I think, what u can't use the certificate of *.example.com for https://example.com, because this link not comparable with mask.~~
I made a mistake:
U can use example.com for first.example.com and for second.first.example.com.
But u can not use *.example.com for second.first.example.com. Wildcard certificate for *.example.com support only first-level domain, but not support second-level. (For second level u need cert *.example.com)
Related
I have configured the CName record on GoDaddy to point www to # and I created an SSL Certificate for mydomain.com.
I have no problem accessing it via https://example.com, but it throws SSL exception
"Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for www.example.com. The certificate is only valid for example.com."
if I access it via https://www.example.com.
What's the issue with that - since I have created the CName mapping for www.
When your browser checks certificate, it just takes what's between https:// and / (if any). Since www.example.com does not match the subject in your SSL cert, the validation fails.
You need to check the knowledge base of your CA to generate a proper certificate which would have www.example.com listed as the alias in your certificate.
We need to have some modules, for example: admin, app API, website.
So, for website URL is https://company-name.com. For modules we want https://admin.company-name.com and https://api.company-name.com.
How we can make subdomains secure(https). To use same certificates as for website, or they should be separately new certificates? What issues we can have if we will use same certificates?
You need an certificat which include all your domains and subdomains on the SAN ( Subject Alternative Name ) field of your certificat. The simplest way ist to use lets encrypt, which generate it for free.
Than you include this certificate on both virtuell hosts
You can use cert-bot to get https certificate
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04
Just add all domains while executing.. so, your certificate will remain valid on all the mentioned sub-domains
certbot --apache -d example.com -d admin.example.com -d api.example.com
I bought a wildcard certificate for *.example.com. Now, I have to secure *.subdomain.example.com. Is it possible to create a sub-certificate for my wildcard-certificate?
If it is, how I can do this?
No, it is not possible. A wildcard inside a name only reflects a single label and the wildcard can only be leftmost. Thus *.*.example.org or www.*.example.org are not possible. And *.example.org will neither match example.org nor www.subdomain.example.org, only subdomain.example.org.
But you can have multiple wildcard names inside the same certificate, that is you can have *.example.org and *.subdomain.example.org inside the same certificate.
It is impossible to secure multi-level subdomains with a single wildcard certificate. If wildcard certificate issued for *.mydomain.tld, so it can secure only first-level subdomains of *.mydomain.com.
To secure your second-level subdomains, you have two choices.
Purchase another wildcard certificate for *.sub1.mydomain.tld. In that case, you need to manage two individual wildcard certificates.
You can go with a multi-domain wildcard certificate, where you can add up to 100 multiple domains or subdomains.
For example,
*.mydomain.tld
*.sub1.mydomain.tld
*.sub2.mydomain.tld
*.anydomain.com
It will secure your multiple domains and multi-level subdomains and reduce your hassle from multiple certificate management.
As per 7 year old article at https://www.digicert.com/news/2010-9-1-new-wildcard-features/ :
DigiCert Wildcard Plus certificates can secure any subdomain using
subject alternative names (SANs). A traditional wildcard certificate
for *.example.com will only secure a first-level subdomain of
example.com such as mail.example.com. DigiCert’s Wildcard Plus
certificate uses SANs to secure any subdomain of example.com,
including multi-level subdomains such as mail.internal.example.com.
With this new feature, all subdomains can be secured with a single
Wildcard Plus certificate from DigiCert. The base domain itself,
example.com, is automatically included as a SAN in every Wildcard Plus
certificate as well, which increases compatibility and protects
example.com with or without the “www.”
No, You can't create sub-certificate for your wildcard.
-> Your wildcard Certificate is for *.mydomain.tld, so as per Wildcard SSL guideline you can secure first level sub-domains. Means anything.mydomain.tld can be secured.
-> But if you want to use it to secure *.subdomain.mydomain.tld, which is for second level sub-domains, but wildcard certificate cant secure second level sub-domains.
Solution
-> You need to buy one more wildcard SSL Certificate for your second level sub-domain *.subdomain.mydomain.tld
Is there a way to change the Fiddler's root certificate. I want it for a scenario when the client app uses certificate pinning and I have access to the keystore, whose certificate is being trusted by the client app.
I think you're asking "Can I change the certificate Fiddler uses for a particular site" rather than the root certificate, which is used for all sites.
Yes, if you really do have the private key for the certificate, you can configure Fiddler to use it. Inside Fiddler's Rules > Customize Rules > OnBoot function, you can call either:
CertMaker.StoreCert("example.com", certMyCert);
or
CertMaker.StoreCert("example.com", "C:\\temp\\cert.pfx", "TopSecretPassword");
The first call requires that your X509Certificate2 variable (certMyCert in this case) refer to a certificate that is already installed in your computer's Certificate Manager (certmgr.msc), so its private key can be found, while the second allows you to specify a PFX file from disk.
I would like to ask when is the purpose of a certificate, like Server Authentication, Client Authentication, set for the certificate.
Is it when we generate the CSR or when it is signed by the CA?
The CSR is a Certificate Signing Request. If it is a PKCS#10 request (by far the most common type) it can indicate which extensions are requested and that can include the Extended Key Usage (aka purpose). But the CA ultimately decides what to include when it creates and signs the cert. It could choose not to issue a cert. It could issue a cert with a subset of the requested attributes. It could issue a cert that is completely different. It could issue a cert that is exactly what the CSR requested.