To test a specific embedded client, I need to set up a web server serving a couple of SSL (HTTPS) sites, say "main.mysite.com" and "alternate.mysite.com". These should be handled by the same certificate, with a Subject Name of "main.mysite.com" and a Subject Alternative Name of "alternate.mysite.com". This certificate needs to be in an authority chain back to a 'proper' CA (such as GoDaddy, to keep the cost down).
My question is, are there any good tutorials on how to do this, or can someone explain the process? What sort of parent certificate do I need to purchase from the CA provider?
My understanding of SSL certificates is limited, but as Manuel said in Fawlty Towers, "I learn...".
I'm happy to work in Windows (IIS) or Linux (Apache) (or even OSX, for that matter).
Thanks in advance.
The tutorials are here:
http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html
http://www.sslshopper.com/article-how-to-configure-ssl-host-headers-in-iis-6.html
You don't need to worry about the parent certificate. Just get a certificate from a trusted provider (like GoDaddy) with all the names that need to be secured and follow those tutorials to set up each site to use that SSL certificate.
(using Godaddy as example)
First of all it's not necessary to generate a 'multiple domain' CSR. You should just put in the primary domain as if you're just registering a single SSL cert.
In Godaddy when you enter the CSR there is a field underneath
New Subject Alt Name
. They don't make it particularly prominent but it's right under the CSR text field. You can add in any names you want there.If you don't know all the domain names you will need you can add them later and then reissue the cert.
http://support.godaddy.com/help/article/4649/adding-or-dropping-subject-alternative-names-from-ucc-certificates
You don't need to create a new CSR for this - you just re-issue the cert and then must immediately replace it through IIS.
One small catch I found was trying to add certain domains wouldn't let me. I'm pretty sure this is because the domain is controlled by a different godaddy account - but in typical godaddy fashion they didn't give me an error. This may pose a problem if you're trying to create a UCC certificate when the domains span multiple accounts.