多个SSL证书可以保护同一个子域吗?
[英]Can multiple ssl certificates protect the same subdomain?
问题描述
I have elastic beanstalk apps running on www.learningdollars.com and dev.learningdollars.com and I have a gitlab ubuntu instance running on gitlab.learningdollars.com 
我有在www.learningdollars.com和dev.learningdollars.com上运行的弹性beantalk应用程序,并且我在gitlab.learningdollars.com上运行了gitlab ubuntu实例
I was thinking of using AWS ACM but it seems that it will only work for the elastic beanstalk apps (through the load balancer in the config section) not the gitlab instance. 我当时正在考虑使用AWS ACM,但它似乎仅适用于弹性beantalk应用程序(通过config部分中的负载平衡器),而不适用于gitlab实例。
So I registered *.learningdollars.com in AWS ACM and I am purchasing a certificate from godaddy or digicert for gitlab.learningdollars.com 因此,我在AWS ACM中注册了* .learningdollars.com,并且我正在从godaddy或digicert购买gitlab.learningdollars.com的证书
Technically the AWS ACM cert covers *.learningdollars.com so it covers gitlab.learningdollars.com but I don't get access to the raw file so I can't use it. 从技术上讲,AWS ACM证书涵盖* .learningdollars.com,因此涵盖gitlab.learningdollars.com,但我无法访问原始文件,因此无法使用它。
So will I run into any issues with the above steps or are they fine? 那么我会遇到上述步骤的问题吗?
1 个解决方案
解决方案1
6 已采纳 2016-06-22 08:48:32
Well, a certificate is merely a declaration by the certificate issuer that mentioned domain name does belong to the certificate owner (ie you). 嗯,证书只是证书颁发者的声明,其中提到的域名确实属于证书所有者(即您)。 So, yes, you can have multiple certificates for the same domain name from different issuers. 因此,是的,您可以拥有来自不同发行者的同一域名的多个证书。 Event if it is exactly same domain name (as in "you can have independent certificates from digicert and godaddy for gitlab.learningdollars.com and they both will be valid"). 如果它是完全相同的域名,则发生事件(如“您可以从diglabcert和godaddy获得gitlab.learningdollars.com的独立证书,并且它们都有效”)。
It's more like having photo ID from different institutions or countries. 这更像是具有来自不同机构或国家的带照片的身份证。 For example a passport and a driver license. 例如护照和驾驶执照。 Having one does not invalidate another. 拥有一个不会使另一个无效。 So, browsers only verify a certification chain. 因此,浏览器仅验证证书链。 Nobody even tries to check if other certificates exists for the same domain name (in fact, I don't believe that is even possible in general). 没有人甚至试图检查同一域名是否存在其他证书(实际上,我一般认为这是不可能的)。
You should only be careful with getting intersecting certificates from the same issuer as even though it's a technically correct situation, many issuers automatically invalidate conflicting certificates (assuming that you will use a your new certificate instead). 从技术上讲正确的情况下,即使从同一颁发者那里获取相交的证书,您也应该小心谨慎,即使在技术上正确的情况下,许多颁发者也会自动使有冲突的证书无效(假设您将使用新证书代替)。
Having said that, I'd like to clarify that you can actually use ACM certificate outside of beanstalk by just using a Load Balancer. 话虽如此,我想澄清一下,您实际上可以仅通过使用Load Balancer来在beantalk之外使用ACM证书。 I find it costing roughly as much as a third party certificate would cost me. 我发现它的成本大约相当于第三方证书的成本。 But it also takes some load off me watching after https security issues (such us reviewing and updating list of ciphers or rebuilding server with newer version of openssl). 但是,这也减轻了我在https安全问题之后的负担(例如,我们查看和更新密码列表或使用更新版本的openssl重建服务器)。 I understand though that Load Balancer might cost substantially more for a very popular site. 我知道尽管对于一个非常受欢迎的网站,Load Balancer的成本可能要高得多。 So, you do your math. 所以,你做你的数学。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.