Multiple overlapping SSL certificates
Hi, I'm in a weird, inherited situation where there were multiple existing certificates on our server, securing some but not all of our domains/subdomains. I didn't realize this, and got a certificate for our main domain and two subdomains, and then found out there were other subdomains that also needed a cert. So I reissued the first one I got, with 8 domains/subdomains. But now I can see that there are still more subdomains that are covered by certificates 3 and 4, but not the new cert.
What I want to know is, what happens if I install the newest cert? Will the other subdomains not covered by the new certificate still be covered by the remaining ones? Or do I need to have a single SSL certificate that covers our primary domain and all of our subdomains?
Server info in screenshot.
Thanks!
-
Hey there! On a cPanel server, you can only have one SSL certificate per vhost, so I'm not entirely sure what is happening in the situation you describe.
cPanel also has the AutoSSL tool, https://docs.cpanel.net/whm/ssl-tls/manage-autossl/, which provides a free SSL certificate to all domains on the system.
I can't comment on the specific SSL that you purchased because I don't know what type of domains it was designed to cover, but in general:
-you can install the SSL certificate on the server and it will cover the domain it is purchased for
-if it is a wildcard SSL you may need to install it for each subdomain you want covered
-if there are separate domains or subdomains on a separate vhost, they would not be affected by this work.0 -
Thanks for your response, dPRex!
It sounded like I'd be ok to install the new certificate, since as far as I can tell from the cPanel documentation, all of our subdomains should be on separate vhosts.
However, installing the new cert has left a few subdomains not covered, and I'm not sure why these and no others seem to be affected. Here are the 4 certs currently on our account - I put an "x" after the ones that are returning security warnings in the browser:
Certificate #1, expires 6/24:
mydomain.org
files.mydomain.org
subdomain1.mydomain.org
subdomain2.mydomain.org
subdomain3.mydomain.org
www.mydomain.org
www.files.mydomain.org
www.subdomain1.mydomain.org
www.subdomain2.mydomain.org
www.subdomain3.mydomain.orgCertificate #2, expires 7/24:
mydomain.org
mail.mydomain.org x
www.mydomain.orgCertificate #3, expires 2/2025:
mydomain.org
subdomain5.mydomain.org
subdomain6.mydomain.orgReissued certificate #3, expires 2/25:
mydomain.org
subdomain4.mydomain.org x
subdomain5.mydomain.org
subdomain6.mydomain.org
staging.mydomain.org x
www.mydomain.org
www.subdomain4.mydomain.org x
www.subdomain5.mydomain.org x
www.subdomain6.mydomain.org xIt seems like the safest/cleanest solution would be to reissue certificate #4 (the re-issued #3) to include ALL of our subdomains with www variations. Except maybe www.staging.mydomain.org, since I'm the only one who uses it. And install that, and delete all of the other certificates.
Does that make sense?
Thanks!
0 -
That certainly sounds correct, but is there a reason you can't use AutoSSL? It's free, it's automatic, and covers every domain on the server.
0 -
Thanks for suggesting AutoSSL, I guess I need to read up on that. But, as I understand it, cPanel is now using Let's Encrypt by default instead of Sectigo,
And I've more or less been told not to use Let's Encrypt certs by our tech support folks, "because they are not always in the browser’s trusted certificate authority list."
Also, I don't see how to manage AutoSSL in cPanel, and unfortunately, I don't have a login for WHM. But if this looks like what we should be doing, I can request that.
Thanks for all your help!
0 -
Interesting - I've never heard that complaint about Let's Encrypt as they are a *major* certificate authority. I just think it would be easier long-term than trying to manually manage all those different SSL certificates, and much cheaper for you.
You should have options under the SSL/TLS Status page, if you can see that area of the interface in your cPanel.
0
Please sign in to leave a comment.
Comments
5 comments