Which FQDN hostname to use for SSL certificate signing request- when using a CNAME record?

ssl-certificate cname-record fqdn

We have a subdomain (https://portal.company.com) that is the alias for a different hostname (defined in a CNAME record).

This dynamic DNS hostname (https://portal.dlinkddns.com) resolves to the public (dynamic) IP address of our office. At the office, the router is configured to forward port 443 to a server running a (Spiceworks) web portal that the staff can access from home. Even if the office's public IP address changes, the subdomain will still direct staff to the web portal. Everything works great- apart from the (expected) SSL certificate error staff see when they first connect to the site.

I've just purchased an SSL certificate, and am now in the process of completing a certificate signing request on the server.

Which leads me to my question...

When completing the certificate signing request, for "Common Name (e.g. server FQDN or YOUR name)", what should I enter?

Should I enter the canonical name (https://portal.dlinkddns.com) or the alias (https://portal.company.com)? The FQDN of the server itself is "servername.companyname.local"- so I can't use that.

Any suggestions or ideas would be much appreciated!


Solution 1:

You use the name the service is accessed as. So if your portal clients visit https://portal.dlinkddns.com, use portal.dlinkddns.com. And if they visit https://portal.company.com, use portal.company.com.

If your clients will access both, get a certificate with one of the names as DN and the other as subjectAltName, so it can be used for both.

If I'm reading correctly between the lines of your question, all that will be accessed in a browser is https://portal.company.com, so in your case: get a certificate for that name.

Solution 2:

If you have the domain company.com (for example) and you want the certificate's Common Name to "just work", then consider using a wildcard-based Common Name like this: *.company.com

Then the SSL certificate should work for https://company.com and https://www.company.com and whatever subdomains you choose to use.

Note: I have used this only in self-signed certificates, created with the openssl command, but it might also work for "real" certificates; I don't see a reason why they wouldn't. (But I've heard that wildcard certificates might be more expensive than non-wildcard certificates, when purchased.)

It's a shame that the openssl command doesn't give this information as a hint, when it asks for the Common Name. When self-signing my SSL certificates for test servers, I routinely use a Common Name in the format "*.company.com".

Related

smtp.gmail.com from bash gives "Error in certificate: Peer's certificate issuer is not recognized."
For how long can a client be shutdown in AD?
GPO Enforced Precedence
How virbr0-nic is created?
How to prevent delays associated with IPv6 AAAA records?
Is there a way to calculate the percentage CPU utilization by reading /proc/stat at once?
Problems installing SSL certificate on nginx with intermediate key
Why issue a SSL certificate that expires in 2037?
How do I print the current hostname of a host in ansible
Is there any difference between "file" and "./file" paths?
service httpd restart / (98)Address already in use
What does "Unlocking" an AD account that is not locked do?