If I purchase a signed certificate for example.com
, can I then produce sub-certificates for a.example.com
and b.example.com
?
These sub-certificates would have PEM files whose privacy cannot be assured.
Can I do this, maintaining the privacy of the root certificate while generating an unlimited number of disposable sub-certificates that would still be recognized as valid by the original signing authority?
No, that won't work.
In order to sign certificates you need your own certificate authority certificate. The certificates you purchase are signed by a certificate authority, but specifically marked as not being a certificate authority certificate.
Check the "Certificate Basic Constraints" in your certificate, and you will see that it "Is not a Certification Authority".
If you need more then one domain covered by SSL, you need to buy a wildcard SSL certificate. This covers a domain name and all sub-domains. Remember to create your SSL cert for
*.example.com
: otherwise you only sign your normal domain.If you have two different domains you need SSL for each domain.
Or if you have only one subdomain, sometimes two normal SSL certs are cheaper than a wildcard.