Home / server / Questions / 672072
Accepted
reinhardS
Asked: 2015-03-01 01:29:03 +0800 CST

Which SSL certificate would support external and internal domain names?

  • 772

This is a school-network.

Official (outside reachable domain name) is bgschwechat.ac.at (www.bgschwechat..., mail.bgschwechat... and ftp.bgschwechat..)

Internally the windows domain is named bgs.ac.at

We need (possibly cheap) SSL certificates for Webserver and Exchange-Server

From our firewall (www.bgschwechat.ac.at) (Sophos UTM9) requests get NATed to virtual machines - some of them need SSL

  • Webserver (running CENTOS - www.bgschwechat.ac.at)
  • Exchange Server (named xch.bgs.ac.at) should be reachable via NAT as mail.bgschwechat.ac.at
  • WSUS Server (dc2.bgs.ac.at) - only for internal clients

My question: What kind of SSL-Certificate would we need to secure eg. both domains (bgschwechat.ac.at AND bgs.ac.at) so that they appear secured from outside when NATTING for example mail.bgschwechat.ac.at to xch.bgs.ac.at ?

Or do we need to rename the interior domain to the official domain name?

...recommandations where to purchase such certificate?

ssl

1 Answers

  1. Best Answer

    I assume that you won't get a wildcard certificate for *.ac.at here ;)

    A certificate with both domain names is called a multidomain-certificate, in your case bgs.ac.at and bgschwechat.ac.at. Additionally you need wildcard certificates for *.bgs.ac.at and *.bgschwechat.ac.at. All the names can be in one certificate using Subject Alternative Names.

    You can generate such a certificate with OpenSSL using a config file:

    openssl req -new -out bgschwechat.ac.at.csr -key bgschwechat.ac.at.key -config bgschwechat.ac.at.cnf

    using an existing key bgschwechat.ac.at.key generated by

    openssl genrsa 4096 -out bgschwechat.ac.at.key

    and using the following bgschwechat.ac.at.cnf:

    [req]
distinguished_name = req_distinguished_name
default_bits           = 4096
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = bgschwechat.ac.at
DNS.2 = *.bgschwechat.ac.at
DNS.3 = bgs.ac.at
DNS.4 = *.bgs.ac.at

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationalUnitName  = Organizational Unit Name (eg, section)
countryName_default = AT
stateOrProvinceName_default = Niederoesterreich
localityName_default = Schwechat
organizationalUnitName_default = BG Schwechat
commonName = Common Name (CN)
commonName_default = bgschwechat.ac.at
emailAddress_default = [email protected]

    You have to pay for 2 simple domain certificates here, plus 2 wildcards. So it's definitely cheaper to rename the internally used domain name (or redirect it using HTTP). Instead of the wildcards, you can also add all subdomains (mail, www, etc.) to the list of alternate domains.

    If you don't want to secure your internally domains bgs.ac.at, you can leave that out.

    on only "outside resolvable" addresses?: Every CA can define it's own rules. In most cases it's a question of money, as just always with CAs. Usually CA's won't issue certs for unresolvable addresses (only if you pay more). As bgs.ac.at is not resolvable, you won't get a cert that easily. If it's only used internally, you can also issue a self-signed cert and deploy that at every computer.

    Recommendations on where to buy something are off-topic on Serverfault.

    • 5