In this article, lets see what is Multi-domain SSL and the steps on how to generate a CSR and installing the multi-domain SSL for various domains in a cpanel server.
What is Multi-domain SSL:
A multi-domain certificate (also known as a SAN certificate or Unified Communications Certificate (UCC)) is a special type of SSL certificate. With a multi-domain certificate you are able to secure one domain name with different domain extensions (e.g. domain.co.uk and domain.es) or multiple domain names (e.g. domain.co.uk and example.com) hosted in a same server using one SSL certificate.
Multi-domain certificates include the standard Subject Name field which supports a single primary service name, as well as an additional entry called the Subject Alternative Name field which supports the additional service names.
How to generate SubjectAltName (SAN/UCC) CSR :
Generating CSR for multi-domain SSL requires :
- Modifying the openssl configuration file and supplying the extra name information
- Generate CSR by executing the current openssl configuration file
>> Modifying the openssl configuration file
1. Make a copy of your initial openssl.cnf file
2. Open the configuration file /etc/pki/tls/openssl.cnf
2.a) enable the extensions:
[req]
req_extensions = v3_req
(In the req section, this line should already exist, but be commented out.)
2.b) Add an entry in the v3_req section to collect the alternative names.
Edit the file and add under [v3_req] :
subjectAltName=”DNS:www.domain1.com,DNS:www.domain2.com,DNS:www.domain3.com”
OR
Edit as :
[ v3_req ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.domain1.com
DNS.2 = www.domain2.com
DNS.3 = www.domain3.com
You will need to set your alt_names section to the FQDNs you wish to use. If you need more simply add “DNS.4 = otherdomain.com” and so on.
Once you have done that, save the file and then execute openssl!
>> Generate a CSR based on the current configuration file
We could generate CSR from the new OpenSSL configuration file as below :
#openssl req -new -nodes -out myreq.csr -config openssl.cnf
When you run the command, it will ask you a series of questions, like the Country Name, Organization name etc in order to generate the CSR. Once the command is run successfully, we will now have a “myreq.csr” and a “privkey.pem” associated with the CSR.
How to install the certificate in multiple domains:
Now we could purchase the SSL from any trusted third party providers by providing the generated CSR. While purchasing the multidomain SSL from the trusted providers, we will be having the option to provide the primary domain name (www.domain1.com) and the Subject Alternative Names (www.domain2.com, www.domain3.com etc).
Once the multi-domain SSL is issued, we could proceed with the normal procedures for installing the SSL for the accounts from cpanel/WHM
While multi-domain certificates are also useful when used to support unified communications deployments, there are some caveats for their use:
- Multi-domain certificates do not support use of wildcard characters. For this reason, sub-domain names must be added as a unique domain name entries in the certificate. Each time a new domain name is added or an old one is removed the certificate must be updated and re-deployed to each host server.
Still with the shortage in IPv4 addresses, the solution of using a UCC SSL certificate seems more and more attractive. As it allows you to host multiple SSL domains using only a single IP address.
Need expert assistance?
SupportPRO has a team of well experienced professionals. If you need any assistance or would like an expert review, you may get in touch with our 24×7 online techs anytime.
If you require help, contact SupportPRO Server Admin
