In the context of a web server with HTTP, HTTPS, IMAPS, POP3S, SMTPS, SFTP and WebDav services, is it necessary to get a SSL certificate for the FQDN hostname of a server (example: something.example.com), if we never use the FQDN hostname for HTTPS (like: https://something.example.com)?
Can't we just install an SSL certificate for the "root" domain (like example.com) and use it for all secured services?
The domain name used int he SSL certificate needs to match the hostname that is used to access the service. So if you run all your services on the same server(s), i.e.
example.com
, you can use the same hostname for all your services, and thus use the same certificate for all of them.The downside is that this makes it hard for you to should you ever want split your services between different servers.
The name which gets used to access the site should be contained in the certificate. Which means if you access the IMAP service with the hostname
imap.example.com
then it is not enough to have a certificate forexample.com
only. If these are both the same IP address then you could of course simplify the configuration by accessing the IMAP service withexample.com
and notimap.example.com
.This is true for all protocols.
In this case, get wildcard SSL certificate *.example.com and can use it for your root also example.com
If the configuration of the clients are "example.com" and the certificate provided by the services has the same name, you will not have any problem.