Join Log in
Score:0
avatar Server

Merge SSL certs - one with a proper CA and one self signed

pl flag
Jay

As per the title - is this possible?

I have the scenario of some application running off Tomcat/Apache and in a customer environment, within the local LAN they are on the domain customer.local, and externally they own customer.com

However the same servers service both users in the LAN and externally, is it possible to combine a cert that I can load into the the Tomcat/Apache applications so that it will present validly for both internal and external resolution? i.e. local LAN users will visit https://application.customer.local and external users will visit https://application.customer.com

224
2 + 1
bjoster avatar
cn flag
bjoster
It is "officially" impossible or even wise to have unrouteable (therefore uncheckable) CNs in one cert. Technically you can to that with a private CA, but no trusted CA will allow that. Search for "Multiple CNs" or "Multi-SAN" certificates. Merging multiple certs isn't possible.
0
Reply
Score:1
vidarlo avatar Server
ar flag
vidarlo

There's no need to merge certificates.

Just configure two virtual hosts on your server - one for application.customer.local and one for application.customer.com, each with their own certificate, but everything else such as web root in common.

I'm not aware that it's possible to merge or serve multiple certs for the same server.

+ 1
pl flag
Jay
was hoping there was some way to merge the certs ending up with something like multidomain certs. I'll look into virtual hosts, but i have no experience configuring the Tomcat/Apache services nor am I sure it's endorsed by the application vendor
0
Reply
Score:0
Ginnungagap avatar Server
gu flag
Ginnungagap

You can't combine existing certificates but you can generate a single new one with multiple SANs.

+ 4
dave_thompson_085 avatar
jp flag
dave_thompson_085
Although you can't get a cert for anything.local from a public CA, since you don't (uniquely) own it; you can get a cert for both names from your own in-house CA, but external users probably won't -- and probably shouldn't -- trust your in-house CA.
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
True, but since using bogus DNS zones you do not own for your internal network is a bad idea, you should own your internal domain meaning you can do a DNS challenge to obtain a certificate for it. Given how frequently people feel compelled to obfuscate DNS names for no viable reason, the actual internal domain might be something better than the mDNS reserved .local...
0
Reply
pl flag
Jay
thanks - i'm aware of how to generate my own certs and install it on external user devices. Was trying to avoid this however by combining the certs. Would've been great if i could use the public CA signing on the .com domain (which the customer already has a proper cert for) in this process :) Would've like to accept this answer as well since it directly answers my question of whether i can combine certs but Stack only allows 1 accepted answer
0
Reply
Ginnungagap avatar
gu flag
Ginnungagap
Installing your internal CA to external devices is never the answer, "normal" users won't know how and corporate users won't be allowed to. I was pointing towards having a public CA sign a certificate for both domains but that means you need to truly own your internal domain which you always should. If you truly are on a .local domain for your LAN this answer doesn't apply.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.