Can you re-use a SSL certificate across platforms?
Solution 1:
A real CA will only issue you one valid X.509 cert for each distinct "subject" (DN) or subject/SAN combination at any point in time. A wildcard is generally intended for use on multiple systems. Some CAs used to charge an additional "license" per-device, check the small print.
The key and the cert are tied to each other (this is the assymmetric cryptographic part that I'm not even going to begin to explain here). Each certificate has (in theory) exactly one matching private key, so you cannot have multiple distinct keys and a common certificate.
The approach is:
- you don't generate a CSR on each system individually
- use
openssl
to generate a key and a CSR, follow your chosen CA's instructions - submit CSR, pay $$$ and wait
- use
openssl
to convert the.key
and.crt
as required by the other platform (DER, PEM, P12/PKCS#12) etc - make sure to protect your key at all times on all platforms
- import the key/cert pair on each system, they all share the same pair, albeit likely imported in different formats
One key, one CSR, one cert -- multiple installs.
CAs always ask the platform, mostly to give you a suitable file format (cert and bundle), but I suspect also to workaround known issues (e.g. exact certificate attributes and formats, DN name format, X.509v3 extensions). In general you should be able to use openssl
, tell the CA you use "Apache/mod_ssl", and convert.
Solution 2:
You only need one certificate for each subject - in the case of webservers the subject is the (virtual) host name. The only issue is that there are multiple formats for x509 certificates - but openssl can convert between all the formats I'm aware of (including DER, PEM, PKCS#12, PKCS#7)