If I have test.example.com and prod.example.com (two hostnames, but same domain name) can I use the same SSL cert on both machines?
In the past when I tried using a prod.example.com cert on test.example.com it resulted in browser warnings for host-mismatch, which led me to believe that I needed a wildcard (or else multiple distinct certs). (Perhaps my mistake was in generating the CSR for prod.example.com rather than simply example.com ?)
But the various SSL vendors' websites mention needing a wildcard cert for subdomains, which is not at all what I am using.
Is their language simply incorrect? (My cynical side wonders if this helps vendors sell more expensive certs...)
You would need a certificate that supports the Subject Alternate Name field and you would have test.example.com in there for it to work in the example that you described.
A cert for
example.comwill not magically work for*.example.comlike you are describing unless it is a wildcard cert, which you explicitly say that you do not have. The SAN field listing each sub-domain is what you need if you're not going to get a wildcard.No, yours is.
These are not the same domain name. They are both separate domain names that happen to be subdomains of
example.com.A domain name is any name that exists at any level in the DNS, not just the ones you get from your domain registrar.
An SSL certificate can only cover:
Hence you can't just get a cert for
example.comand have it automatically cover the subdomains too.First a clarification: there are no subdomains in the way you are using - only domains. Or better you can say that any domain that you will own is a subdomain. The root domain is ".". The TLD "com." is a "subdomain" of ".". "example.com." is a subdomain of "com."... A subdomain is a domain defined inside another domain. but this is relative, not an absolute attribute.
The wild card certificates are more expansive not because they are different from a domain one, but because of their exposure and chances to get compromised. You are not paying the SSL CA the "price" for certificate, but an limited insurance. This insurance covers only if the breach is caused by a mishandling of your certificate and it's chain by the CA.
If you have only a few subdomains it is cheaper to buy a certificate for multiple domains (certificates that use Subject Alternate Name). If you have many subdomains of a domain or you expect to add an unknown number of subdomains you should better buy a wildcard certificate. If you have different domains (example1.com, example2.com, example1.us) you can use only SAN certificates or you buy a wildcard certificate for each domain. (E.g. you can not buy a wildcard certificate for *.com).
Using SAN certificate or wildcard certificate could lower the security of your configuration, because will force you to use the same listener and most probably use the same user (you can run with different users with something like mod_suexec for apache). So if one site gets compromised, could lead for the other sites to get compromised. If you have different certificates you can run those applications as different users and have better security.
If your cert for
prod.example.comisn't a wildcard cert, then to use it on a server having the domain name oftest.example.comthen what's to stop adding an entry to the%SystemRoot%\System32\drivers\etc\hostsfile giving the IP of thetest.example.commachine a fake domain name ofwhatever.prod.example.com?That way validation on the
prod.example.comcert installed onto thetest.example.commachine should just work because thehostsfile proves the (fake)prod.example.comhostname it's looking for.Just a thought, as I've used this technique myself for development.