Somewhat of a newbie SSL question. I'm setting up a backup FMS server on an AWS instance. Our main FMS will also be on AWS. Is it possible to share an SSL certificate for these two sites? They wouldn't run at the same time under the URL. Basically, if I need to take down the production server, could I redirect the DNS to the backup server and have the same SSL certificate work or do I need to buy a wildcard or separate SSL certificates?
Sure, you can install the same cert on multiple machines. The crux is in the DNS management that points the name to the active instance. So when you do a fail-over, all you have to do is update your DNS to point to the active server and all is well.
You don't need a wildcard cert for this; you'd need it if you have multiple machines each with their own unique DNS name, then a wildcard can become cheaper than multiple individual SSL certs.
Thank you Wimdecorte!
I'm sorry for reopening a closed thread, but I have another very related question. I'm going to end up with a single domain with 2 subdomain URLs (i.e. XXX1.DOMAIN.COM and XXX2.DOMAIN.COM). I don't see us going much past that; maybe a 3rd, bot unlikely.
A wildcard SSL cert costs several times that of a single domain SSL. But, a SAN SSL is only a little more than double and in many cases allows for up to 5 domains. Can you I use a SAN SSL in my instance where I will have 2 or 3 subdomains under the same domain?
See the white paper on SSL for a write-up on the difference between SAN and wildcard:
FileMaker Server 17 Admin Console
A SAN is not really meant to cover subdomains of the same domain, it is meant to cover different domain names, so I don't think it would fit.
But there is nothing wrong with just buying individual certs for your two subdomain names, if that is cheaper. A wildcard gives you the opportunity to cover more servers quickly (like a dev or testing server) without having to go and buy another individual one, but it certainly is not a must.
wimdecorte wrote:
A SAN is not really meant to cover subdomains of the same domain, it is meant to cover different domain names, so I don't think it would fit.
But it can work, like you describe. A SAN Certificate can hold multiple host names within one certificate. That can be multiple domains or sub domains. It is not uncommon that it is used for multiple sub domains within one domain.
FileMaker Server can work with SAN SSL Certificates.
- Koen
I spoke with a support person at Godaddy, and was told that a SAN SSL couldn't be used on multiple servers. If I wanted to cover multiple servers, I had to purchase multiple SSLs. I question this because that person also told me that a wildcard SSL wouldn't work on multiple servers either, which I'm fairly certain isn't correct.
I've got 2 or 3 filmmaker subdomains that I'm looking at protecting: production, development, and potentially a beta server for testing. When I looked at Godaddy's community section, I got the impression that the SAN SSL would do this. Anyone have experience with this? I'm trying to avoid purchasing the wildcard cert if possible. 3 individual certs would cost less than the wildcard, but the SAN is less than 3 individual certs.
EDIT: These would be 2 or 3 separate FileMaker servers.
Thanks!
amsc wrote:
I question this because that person also told me that a wildcard SSL wouldn't work on multiple servers either, which I'm fairly certain isn't correct.
The whole point of a wildcard is that it would work on multiple servers sharing the same domain name. It's what is there for.
While the SAN is in theory meant to cover different domain names I would tend to agree with Koen that it could work for multiple subdomains in the same domain. I just haven't tried that, I default to a wild card for this scenario. At $300-$400 for a wild card, I think the cost is fairly inconsequential in the perspective of our development cost.
The good news is that if you buy a SAN, and you find it doesn't work, you haven't really lost your money, you can rekey it and use it for any other SSL requirements you have. You don't buy an SSL cert for a particular domain, you buy the right to an SSL cert so you can rekey it any time to cover whatever you need.
I have no experience with SAN certificates from GoDaddy, but I know for sure others can be installed on multiple servers.
Technically it should not be a problem, license wise it could.
If you go to the GoDaddy website : SAN Certificate | Subject Alternative Name Multi Domain SSL - GoDaddy
It explicit mentions
Our SAN Certificate also covers unlimited server licenses.
You should ask your support rep, what exactly is means by this.
Like wimdecorte says, there is no risk in buying on and give it a try.
- Koen
Wanted to follow up on this. I reached back out to Godaddy yesterday. Interesting conversation. Long story short, the person I spoke to apologized after he read the notes on the account. The first support person was completely off base; I got confirmation that the SAN SSL cert can be installed on multiple servers. You generate one CRM using the details for what ever you consider the primary server, feed that into the certificate generation tool at GoDaddy, and add the other SAN URLs on that screen. Once the URLs are verified, the SSL can then be downloaded and loaded on the servers for those domains listed. You need to also add the same PEM files to all servers.
I've purchased and downloaded the SSL certs but haven't had a chance to load them on the servers yet. (Have to wait for downtime...). I'll let you know how it goes when I get there.
Thanks for everyone's feedback!
Alex
I was able to get the SSL certificates installed on the servers without any issues. I have one lingering issue - RDP. When I use the remote desktop, its telling me that its using a self signed SSL, not the SSL I installed. How do I switch that to the one I just loaded into FMS?
Sure, you can install the same cert on multiple machines. The crux is in the DNS management that points the name to the active instance. So when you do a fail-over, all you have to do is update your DNS to point to the active server and all is well.
You don't need a wildcard cert for this; you'd need it if you have multiple machines each with their own unique DNS name, then a wildcard can become cheaper than multiple individual SSL certs.