Can you re-use a SSL certificate across platforms?

ssl ssl-certificate https x509
6,037

Solution 1

A real CA will only issue you one valid X.509 cert for each distinct "subject" (DN) or subject/SAN combination at any point in time. A wildcard is generally intended for use on multiple systems. Some CAs used to charge an additional "license" per-device, check the small print.

The key and the cert are tied to each other (this is the assymmetric cryptographic part that I'm not even going to begin to explain here). Each certificate has (in theory) exactly one matching private key, so you cannot have multiple distinct keys and a common certificate.

The approach is:

  • you don't generate a CSR on each system individually
  • use openssl to generate a key and a CSR, follow your chosen CA's instructions
  • submit CSR, pay $$$ and wait
  • use openssl to convert the .key and .crt as required by the other platform (DER, PEM, P12/PKCS#12) etc
  • make sure to protect your key at all times on all platforms
  • import the key/cert pair on each system, they all share the same pair, albeit likely imported in different formats

One key, one CSR, one cert -- multiple installs.

CAs always ask the platform, mostly to give you a suitable file format (cert and bundle), but I suspect also to workaround known issues (e.g. exact certificate attributes and formats, DN name format, X.509v3 extensions). In general you should be able to use openssl, tell the CA you use "Apache/mod_ssl", and convert.

Solution 2

You only need one certificate for each subject - in the case of webservers the subject is the (virtual) host name. The only issue is that there are multiple formats for x509 certificates - but openssl can convert between all the formats I'm aware of (including DER, PEM, PKCS#12, PKCS#7)

Share:
6,037
jishi
Author by

jishi

Updated on September 18, 2022

Comments

  • jishi
    jishi over 1 year

    Let's say I want to buy a wildcard SSL that I can use for web servers, spanning across a multitude of different servers and platform.

    I could issue a CSR for each and every one of them, with their own private-public key pairs, but would it be possible to distribute the private key to all of the different servers and use the same certificate? That way, only issuing 1 CSR and then deploy this to a mixture of plattforms. OR, are the certificate issued differently for different platforms?

    The current farm is a mixture of:

    Windows 2008 R2 and IIS Linux and Tomcat (running JIRA and Confluence) Clavister firewall (I assume I don't get an answer to this though)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Save Remote SSL Certificate via Linux Command Line
Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)
Some clients accept SSL cert; others reject it
Specify Subject Alternative Name when generating a self signed certificate
Where is the location of Keystore file in JAVA?
How to create an OpenSSL Self-Signed Certificate using SAN?
SSL Certificate for multiple servers
HTTPS request in c++ using Poco
The certificate is not trusted because no issuer chain was provided
NGINX + SSL certificate securing the connection in some browsers only