0

I just acquired an SSL Cert for our domain tspack.us - so I am assuming that the Cert is ONLY good for that exact name correct? I technically can't use www.tspack.us because it won't match exactly with tspack.us is my understanding.

I already added a CNAME in my DNS settings for www.tspack.us to point to tspack.us

Is this standard procedure for setting up SSL websites?

Also, do I still require 2 bindings on my webserver? For example: tspack.us:80 and tspack.us:443

Improve this question
1
  • If I am not wrong, let's encrypt has a lot of helpful information and offers free access to TLS. Maybe this also can help a bit letsencrypt.org
    – Patrick Abraham
    Commented Feb 8 at 13:53

1 Answer 1

Reset to default
0

I just acquired an SSL Cert for our domain tspack.us - so I am assuming that the Cert is ONLY good for that exact name correct?

Yes, but a certificate can include multiple domain names, and some CAs will actually add the www. as a second name for free. Open your .crt file and check what's in the "Subject Alt Name" extension – that's the list of valid names.

I technically can't use www.tspack.us because it won't match exactly with tspack.us is my understanding.

Yes, it has to be an exact match. If the CA did not include the subdomain variant in the cert's SubjectAltName, then you cannot use the cert for that.

Also, do I still require 2 bindings on my webserver? For example: tspack.us:80 and tspack.us:443

It's still a good idea to have a binding on :80 that redirects to the primary website at :443, even though some browsers now go straight for :443 first, there could still be some that start at :80.

(Note: In Apache, you don't want domain:80, you want to use *:80 and *:443.)

If you don't have the binding, it could be that the webserver is still listening for requests on :80 and is serving some generic "It Works!" webpage. You don't want visitors to be stuck on that. Either it should serve at least a redirect, or it shouldn't be listening on that port at all.

(However, even in that case, keep port 80 open – do not let your firewall completely drop the connection. That'll result in a long initial delay for such visitors. The connection should be either immediately accepted or immediately refused, but not dropped. So it's going to be easier to just have a binding/vhost on :80 like you normally would.)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .