Mobile app version of vmapp.org
Login or Join
Nimeshi995

: Using wildcard certificates for multi-server deployment Currently we are deploying a beta API for our services and we want that all request/responses from the API works over https. I'm confused

@Nimeshi995

Posted in: #Https #SecurityCertificate

Currently we are deploying a beta API for our services and we want that all request/responses from the API works over https. I'm confused about using wildcard certificates for both api and www urls. Is it a good idea to use a wildcard certificate for both api.example.com and example.com? Are there any inconveniences?

What about those 1-server-only certificates? Because I'm deploying my API in n servers with a load balancer on front.

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Nimeshi995

2 Comments

Sorted by latest first Latest Oldest Best

 

@Welton855

The only problem that I've seen with wildcard certs so far is that they don't appear to have any that support EV. This is only really a concern if you want the cool browser chrome saying "hey, this site is offically OK and vertified". If you're only looking for secure transport and don't care about customer purchasing confidence, go the cheap way. Or buy EV for the www server, and wildcard for the API.

10% popularity Vote Up Vote Down


 

@Angie530

You are correct, using a wildcard cert is a great idea in this case. It'll keep your configuration for separate domains simple, and ensure that any subdomains you decide to add will work.

There are a couple drawbacks:
- Your top level domain is not secure. As in, the certificate is not good for example.com.
- They are very expensive, normally around k.

As for 1-server-only certs, it depends on the agreement you make when you purchase the cert. Some will allow the cert to be installed on multiple servers, some will not. Also, I have no idea how or if they check that the cert is only installed on a single server. You might be able to get away with it...

Also, if you are using a load balancer, I would recommend installing the cert there, if your hardware allows it. I know the Cisco CSS series has a dedicated hardware module that handles all the encryption and decryption, saving some work for your servers.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme