Should I Use Two SSL Certificates on The Same Server?

carlosinfl · 10-07-2010, 04:38 PM

I have one physical dedicated server. The name of the server is 'mail.iamghost.tld' which is obviously my Postfix mail server for my users. Now I generated SSL self signed certificates with 'OpenSSL' which is for 'mail.iamghost.tld'. I also have Apache installed on the same server to access my webmail application. I created a pointer record for 'www.iamghost.tld' to point to the same static I.P. as 'mail.iamghost.tld'. So my question is if I also want to encrypt site login's for www.iamghost.tld/webmail, do I need to generate a unique SSL certificate for 'www.iamghost.tld' or can I use my existing SSL certificates that are assigned to 'mail.iamghost.tld'? It's the same server but when people browse to my 'www.iamghost.tld/webmail' site, I don't want there to be an issue with the certificates saying it's for 'mail.iamghost.tld' when they're really communicating with 'www.iamghost.tld'.

Thoughts and or suggestions?

kbp · 10-07-2010, 06:57 PM

Theres a couple of things that need clearing up here,

Quote:

Now I generated SSL self signed certificates

.. how were you intending to use these? email? web?

Quote:

I created a pointer record for 'www.iamghost.tld' to point to the same static I.P. as 'mail.iamghost.tld'.

- maybe you're just using the wrong terminology .. did you mean you created a CNAME record like:

Code:

www CNAME mail.iamghost.tld.

.. or did you really mean a PTR record (used for reverse lookup) ? :

Code:

<ip of mail>   IN PTR www.iamghost.tld.

carlosinfl · 10-07-2010, 07:06 PM

I originally generated the SSL certificates to use TLS for the SMTP & IMAP4. They certificates work great and add additional layer of security for all my email users. However now I have a Apache web server running on the same physical server which I use for a Wiki (logins required) and Webmail (logins required) & I have a CNAME for www to mail. I hope that clears up my gibberish above.

Thanks all!

kbp · 10-07-2010, 09:46 PM

If you're planning on running multiple services from the same physical box under different CNAME's it may be worth creating a wildcard cert -
*.iamghost.tld.

Besides the fact that these are self signed, the certs will need to match whatever the client is connecting to, even if it's a CNAME. So the answer is yes, you will need to obtain a cert for www.iamghost.tld.

cheers

carlosinfl · 10-08-2010, 07:30 AM

OK thanks. So it's not un-common to have a wildcard certificate on a server running multiple services, right? I am just going to use *.iamghost.tld.

kbp · 10-08-2010, 08:04 PM

They are common, you quite often see wildcard certs on load balancers