Wildcard SSL Certificates - creation/installation details?

[SacAutos]

I manage a series of domains for a car dealer. Each website is like (but not limited to) this:

acura.cardealer.com
honda.cardealer.com
chevy.cardealer.com

and so forth. I have each of these domains created in Plesk as individually hosted websites. Now they want to start doing some online commerce which will require some secure certificates.

Rather than buy individual certificates for each cardealer.com site, I thought it would be more efficient (and cheaper) to purchase a wildcard certificate for cardealer.com . Here's my questions:

How do I create the CSR (Certificate Signing Request) with Plesk? What domain do I enter (cardealer.com or *.cardealer.com) in the request? Or must I use the command line to generate the CSR?

Secondly, how do I install the certificate once I receive it from the CA (Certificate Authority)? Is this process any different from "normal?"

Lastly, what IP address scheme do I use? Do I allocate a single, unique IP address for cardealer.com and then multi-home it for all the cardealer domains or do I have to reserve an IP for each xxx.cardealer.com domain that I host?

Thanks for any guidance that you may offer.

 

[SacAutos]

On more thing...

After reviewing my post, I realized that somebody is going to read that and think that I'm using subdomains. I'm not and was not planning on doing so. The only compelling reason to do that would be if I must in order to get the wildcard certificates to work. And from what I've read so far, that doesn't look to be the case.

 

[Who-m3]

I'd recommend utilizing a different method for their purchases. Having something along the lines of "secure.cardealer.com" or "shop.cardealer.com", then using subdirectories within it for each brand (shop.cardealer.com/acura, etc). Although, the wildcard certificate would work, it'd make things a bit more complicated. I'm not sure plesk can, directly, generate the CRN needed to aquire such a domain. Perhaps contacting the Plesk Support team directly would yeld a valid response.

 

[SacAutos]

I'll reply to this myself

I paid Tech Support the per-incident fee to learn this info as to save the lives of additional Bothans...

As I suspected, Plesk will not allow me to create a wildcard certificate. I must do that using the command line, which I can deal with easily enough. When generating the CSR, use *.cardealer.com to specify all subdomains of cardealer.com .

Installation of a wildcard certificate in no way differs from a "normal" one.

Lastly, to make use of the wildcard certificate, allocate an IP address to be shared for all the *.cardealer.com sites. Apply the wildcard certificate to that IP address. Supposedly that should do the job. I shall be purchasing my wildcard certificate within the next week or two, so I'll know for sure whether this works or not soon enough!

 

[AbsolutelyFreeW]

Could you please give us an update on if you manged to install a wildcard SSL outside plesk and use it without problems?

 

[btking]

FWIW, after generating my CSR from the cl I was able to install the cert for a dedicated IP and it functions as expected on the domain and subdomains setup in A records (eg. webmail., etc).

Most instructions I found for generating the ssl.key include encryption, however before Plesk (7.5.4) would accept the key I had to remove the encryption.

So if you get a "Invalid Key" from Plesk:

# cd /path/to/your/ssl.key
# cp server.key server.key.orig
# openssl rsa -in server.key.orig -out server.key

YMMV!

 

[SacAutos]

Yup, it worked!

Originally posted by AbsolutelyFreeW
Could you please give us an update on if you manged to install a wildcard SSL outside plesk and use it without problems?

Thanks for showing an interest...

The answer is yes. I finally purchased and installed my wildcard certificate. I had a false-start or two that are worthy of noting. My first inclination was to create my certificate under one of the domains that I had created. That didn't do it. I undid that and went to the control panel for the server and created my certificate there. Then I went to my IP address that I had reserved for traffic for my domains and assigned the certificate there. I was then able to visit the hosting panel for each of my *.cardealer domains and check-on the SSL traffic checkbox. The other false-start was that I needed to restart Apache via the service management page before the certificate was recognized.

And BTW, btking is right. You have to create your certificate without a password, which is what I had done to create mine.

I wish all of my questions/problems were solved so easily!

 

[sflc2000]

Great topic, thanks for posting it and for following up with the additional info!

Were you able to setup the wildcard so that the sites would have separate IP's?

honda.cardealer.com 123.123.123.001
acura.cardealer.com 123.123.123.002
other.cardealer.com 123.123.123.003

Or did you have to use the one IP that they all share?

- Thanks

 

[SacAutos]

Actually I shared the same IP

I allocated an IP address for just all the domains that will be using the wildcard IP and shared that.

 

[sflc2000]

Thanks - I read more, I guess there's no way around the one IP per cert too.

Will be referring back to this post a lot today while setting up the wildcard - going to do it the same way as you have with name.domainname.com's all on shared IP assigned to the wildcard cert.

Will post any querks back if we run into anything.

 

[sflc2000]

Got it to work - ran into a couple of things related to GoDaddy wildcard cert.

When submitting the CSR the info needs to match the account info on their form.

Then when creating the cert you need both Starfield and Valicert CA's for the CA cert.

After that, I setup test.wildcarddomain.com as a separate hosted domain name on the same IP as the wildcard cert and it's working great.

The only thing now, am trying to get it to work without having to setup a separate hosted domain account. Adding an A record to DNS for test.wildcardcarddomain.com didn't work and adding a subdomain didn't work (Plesk doesn't do SSL for subdomains).

Anyone have a method to map the HTTPSDOCS to the wildcard IP or something?