Is it possible to use wildcard certificates on multiple devices?

  • I have a server that I want to use a wildcard cert on. It runs multiple services. I purchase a wildcard cert so that I can protect mail.something.dom, www.something.dom, im.something.dom, calendar.something.dom, addressbook.something.dom

    A few months later I come into several new servers. I now have enough servers that I could set one up for each subdom that I created. I want to use my wildcard cert rather than buy an SSL cert for each one.

    Is it possible if I:

    1. Copy the public and private keys for the wildcard cert from the original server.
    2. Place a copy of each of the keys in each new server.
    3. Place a copy of the wildcard cert in each new server.

    If this is not the process to do this, is there a process that will work?

  • Tom Leek

    Tom Leek Correct answer

    8 years ago

    The process you describe will work. Whether you will be able to enact it is a different thing: it depends on where, exactly, your private key is. In Windows systems, a private key might be marked as "non exportable", which means that Windows will not allow the export; the export is still possible (Windows is only software, it cannot do miracles) but somewhat hackish. On Linux systems, private keys are just files and files can be copied at will. If your private key generation and storage involved dedicated hardware then see the documentation of your HSM for possible options.

    Possible objections against such a plan are the following:

    • There may be contractual issues. It really depends on the CA. The CA does not have technical power to prevent you from moving your private key from server to server (it is your key on your machines, they cannot spy on that), but they can still define it as a contract breach, at least theoretically. Commercial CA make money out of selling certificates, and you are buying and using a wildcard certificate precisely so that you do not have to buy a new certificate for each new server name; the commercial people at the commercial CA will understandably feel queasy at the concept, hence the possibility of some legal hindrance.

    • The value of a private key resides in its privacy. If your private key becomes known to outsiders, then you have a big problem. As a general rule, any export-transfer-import operation potentially exposes the private key; the more a private key travels, the less private it becomes. The "recommended way" is to have each server (physical machine) generate its own key pair, and never export the private key at all. What you suggests is at odds with this general principle, so beware.

    • If the private key is stolen, then the certificate will have to be revoked, and this will impact all your servers at the same time. With several distinct certificates, damage is more contained. Similarly, when the wildcard certificate expires, a renewal will have to be done, and the new certificates installed on all servers simultaneously. Depending on how many distinct servers you have, this may prove to be cumbersome.

    You seem to suggest that each server should have it's own private key (which seems logical for me too). What is the common way to deal with that ? Should we issue as much CSR as servers or can we build a CSR from multiple keys ?

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM