Let's say I want to buy a wildcard SSL that I can use for web servers, spanning across a multitude of different servers and platform.
I could issue a CSR for each and every one of them, with their own private-public key pairs, but would it be possible to distribute the private key to all of the different servers and use the same certificate? That way, only issuing 1 CSR and then deploy this to a mixture of plattforms. OR, are the certificate issued differently for different platforms?
The current farm is a mixture of:
Windows 2008 R2 and IIS Linux and Tomcat (running JIRA and Confluence) Clavister firewall (I assume I don't get an answer to this though)
A real CA will only issue you one valid X.509 cert for each distinct "subject" (DN) or subject/SAN combination at any point in time. A wildcard is generally intended for use on multiple systems. Some CAs used to charge an additional "license" per-device, check the small print.
The key and the cert are tied to each other (this is the assymmetric cryptographic part that I'm not even going to begin to explain here). Each certificate has (in theory) exactly one matching private key, so you cannot have multiple distinct keys and a common certificate.
The approach is:
openssl
to generate a key and a CSR, follow your chosen CA's instructionsopenssl
to convert the.key
and.crt
as required by the other platform (DER, PEM, P12/PKCS#12) etcOne key, one CSR, one cert -- multiple installs.
CAs always ask the platform, mostly to give you a suitable file format (cert and bundle), but I suspect also to workaround known issues (e.g. exact certificate attributes and formats, DN name format, X.509v3 extensions). In general you should be able to use
openssl
, tell the CA you use "Apache/mod_ssl", and convert.You only need one certificate for each subject - in the case of webservers the subject is the (virtual) host name. The only issue is that there are multiple formats for x509 certificates - but openssl can convert between all the formats I'm aware of (including DER, PEM, PKCS#12, PKCS#7)