Score:-1

Can I create an SSL Certificate to a domain that redirects to other domain servers?

nl flag

I hope you could help me with this one. Here is the case:

I have a domain in ZoneEdit name dummysite.org.

This domain has the following A records:

HOST IP ADDRESS TTL
@.dummysite.org 193.10.xx.xx default
@.dummysite.org 52.67.xxx.xxx default
www.dummysite.org 193.10.xx.xx default
www.dummysite.org 52.67.xxx.xxx default

Basically, dummysite.org is just a domain that redirects to either one of the IP addresses listed above. Both IP addresses have their own servers and SSL Certificates.

Now, is it possible for dummysite.org to have its own SSL certificate, given that it does not have a physical host/server. It's really just a domain that redirects to my other servers.

I am asking this because one user of my site tried to access dummysite.org via HTTPS (https://dummysite.org) and he encountered "Your connection is not private" error.

"This server could not prove that it is dummysite.org; its security certificate is from 193.10.xx.xx. This may be caused by misconfiguration or an attacker intercepting your connection.

Patrick Mevzek avatar
cn flag
`123.456.78.99` and `998.765.43.21` are not IPv4 addresses. Please stop obfuscating badly, including for names too.
Patrick Mevzek avatar
cn flag
Ask your CA, you can validate DV-certificates typically with dns-01 validation method, if you don't want to do http-01, so a simple `TXT` record in DNS can be enough.
Score:1
tz flag

TLS certificates live on web servers (or other devices/software providing network services). They don't live on a domain in DNS.

So in short, no. You can't host a certificate just in the DNS zone you control and have it work with a web server you don't control.

However, as the owner (or person in control) of the DNS zone, you could obtain a certificate for that domain and send it to the web server owner to use. Due to the way public certificate validation works, the web server owner could also obtain the certificate themselves because you've pointed your domain name at their server (effectively delegating control of that DNS name).

P.S. When you point your DNS records at a web server's IP address, you're not technically "redirecting" anything. The web client goes directly to the IP you've pointed to. The term "redirect" usually implies a specific HTTP protocol response where the web server a client initially hits tells the client to go somewhere else (a different URL or web server entirely).

Haetnim Ha avatar
nl flag
Thank you for your answer! I would just like to clarify things based on your answer: this means that I cannot create an SSL cert for my domain in DNS **alone**, but I could create an SSL cert for my domain DNS together with the other web servers that it is pointing too? like a wildcard SSL cert?
Ryan Bolger avatar
tz flag
It might help to separate the concept of creating/obtaining the cert from using the cert with a web server. You can obtain a cert via DNS alone (wildcard or not is irrelevant) from your personal desktop, but it's useless without a web server to install it on. And if the cert needs to live on a web server you don't control, it would usually be more efficient for the person who controls the web server to obtain it in the first place.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.