Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

CNAME SSL certificates

Tags:

certificate

ssl

dns

cname

If I go to www.example.com which has an image on the page that links to assets.example.com which is a CNAME for assets.example2.com.

Will I get the green lock even if assets.example2.com does not have a certificate, but assets.example.com does?

like image 422
maletor Avatar asked Mar 29 '12 23:03

maletor

People also ask

What is CNAME in SSL certificate?

The CNAME is just an alias to another record in the DNS registry. But in the end you have an IP adddress. You can also add some record to your /etc/hosts file. Once your browser have an IP address it can connect to the server, it initiate an SSL or TLS session.

Do I need an SSL certificate for a CNAME?

You do need an SSL certificate. I wanted to add that it is because there is no such thing as a CNAME redirect. A CNAME is not a redirect. A CNAME instructs the DNS to resolve to the same domain as where the CNAME points.

Does CNAME work with HTTPS?

When both domains are in the SSL cert list, your CNAME can redirect with HTTPS. This is how CDN service provider such as Incapsula with works with HTTPS. They just create a "Multi-domain" SSL cert for you.

1 Answers

Whether your DNS entry uses a CNAME or an A record doesn't matter. What matters is the host name the client is trying to connect to. It must match one of the Subject Alternative Names in the certificate of the server providing that resource (or, failing that, it must match the CN RDN of the cert's Subject DN).

If https://www.example.com embeds an image to https://assets.example.com (providing both are served over HTTPS with valid certificates for each) and if there is no mixed content (no resource loaded over http://, that is no JavaScript, no image, no iframe, ...) then you should get the green/blue bar as appropriate.

If assets.example.com is a CNAME to assets.example2.com and the requests are made to https://assets.example.com, this machine must present a certificate valid for assets.example.com to the client.

In addition, if multiple certificates need to be used at the same time on this IP address (and same port), support for Server Name Indication (SNI) may be required.

Alternatively, having a single certificate that supports all these names, typically via multiple Subject Alternative Name (SANs) entries, or possibly via wildcard names (which are not recommended), may be used.

This is independent of the DNS resolution mechanism (CNAME or A record).

like image 85
Bruno Avatar answered Oct 05 '22 08:10

Bruno
Sign in to Comment

Related questions

How to Create Secure(TLS/SSL) Websocket Server
Using JavaMail with TLS
Enabling the OpenSSL in XAMPP
Are there any disadvantages to using a 4096-bit encrypted SSL certificate?
How to pin the Public key of a certificate on iOS
cURL error 60: SSL certificate problem: certificate has expired
How set up Spring Boot to run HTTPS / HTTP ports
java - path to trustStore - set property doesn't work?
Android Emulator "Chain Validation Failed" connecting developers machine with self-signed cert
Java and HTTPS url connection without downloading certificate
What is point of SSL if fiddler 2 can decrypt all calls over HTTPS?
Does SSL also encrypt cookies?
Setting up SSL for Google Cloud Storage static website?
Difference between https protocol and SSL Certificate
How to install Certbot (Let's Encrypt) without interaction?
Socket transport "ssl" in PHP not enabled
Why some iphone apps won't finish ssl handshake with Charles Proxy?
A fatal error occurred while creating a TLS client credential. The internal error state is 10013
SSL peer shut down incorrectly in Java
Connecting Heroku App to Atlas MongoDB Cloud service

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!