Cname or A record for domains having ssl certifcate www.mydomain.com
None of the above. You should get SSL certificate that covers two domains: www.mydomain.com
and mydomain.com
.
As per your proposals:
1) Having wildcard certificate for a single domain of *.mydomain.com
will still give you an error when opening mydomain.com without any prefix. You may of course get a multidomain certificate for *.mydomain.com
and mydomain.com
2) For the sake of SSL, it doesn't matter CNAME or A - DNS used to get the address (A record) of your webserver, afterwards browser still expects SSL certificate to match exactly what you type in the address bar.
3) That would work for http requests, but when user types https://mydomain.com, browser checks SSL certificate before it processes the redirection request, and will still show the warning.
P.S. You have this problem because CA industry is totally screwed. Their product pages all look like "super 256-bit encryption" (certificate have nothing to do with encryption strength), mobile support (be it mobile or mainframe, certficate is all the same), and "a free site-seal included" (site seal is a great name for a CA advertisement placed on your site).
All the not important things like is it's CRL or OCSP, or which domain names it covers at all - never mentioned.
Neil
Updated on June 04, 2022Comments
-
Neil almost 2 years
We have two
A
records pointing to same public IP address as:www.example.com IN A 192.*.*.*
example.com IN A 192.*.*.*
We have certificate issued by Verisign to
www.example.com
. Now when the user typeshttps://www.example.com/xyz
, everything works fine as expected.But when we use
https://example.com/xyz
, the browser throws an error:"There is a problem with this website's security certificate"
And asks the user to make decision if they trust and want to go ahead.
Now what should be best practice here:
- Change certificate and get wildcard certificate
*.example.com
Use following setting at DNS:
www.example.com IN A 192.*.*.*
example.com IN CNAME www.example.com
Write a HTTP module in .Net pipeline to redirect user if they type
example.com/xyz
towww.example.com/xyz
. I know this is not recommended.
We would like to do something like what
chase.com
is doing. If you typechase.com
it takes you tohttps://www.chase.com/
. -
Neil almost 12 yearsis it two seprate certificate or one certificate supporting two domains?
-
Sandman4 almost 12 yearsIt's one certificate for multiple domain names. Two separate certificates work only with newer browsers, supporting Server-Name-Indication. With all the rest only one certificate will be used, and thus user will get a warning for the second name.
-
Sandman4 almost 12 yearsIt is common for certificates to cover two names
www.example.com
andexample.com
, and again, CA bastards forget to mention it - you have to contact support to know what you actually get. -
Sandman4 almost 12 years@Julian I did not say that there's any need for a wildcard cert.
-
Julian almost 12 yearsYou're right @Sandman4, but you don't need a cert for two domains either. You just need a regular http redirect. No need to buy anything new.
-
Sandman4 almost 12 years@Julian: The original question reads But when we use httpS://mydomain.com/xyz, browser throws.... Whether it's important to have no warnings or not in this rare case, it's a matter of taste.
-
Julian almost 12 years@Sandman4: Right you are. All I saw was "We would like to do something like what chase.com is doing if you type chase.com it takes you to chase.com". Removing my answer (though I'd argue it makes sense it does not address the question as written).