Search code examples
iisdnsssl-certificatecnamea-records

Cname or A record for domains having ssl certifcate www.mydomain.com


We have two A records pointing to same public IP address as:

  • www.example.com IN A 192.*.*.*
  • example.com IN A 192.*.*.*

We have certificate issued by Verisign to www.example.com. Now when the user types https://www.example.com/xyz, everything works fine as expected.

But when we use https://example.com/xyz, the browser throws an error:

"There is a problem with this website's security certificate"

And asks the user to make decision if they trust and want to go ahead.

Now what should be best practice here:

  1. Change certificate and get wildcard certificate *.example.com
  2. Use following setting at DNS:

    • www.example.com IN A 192.*.*.*
    • example.com IN CNAME www.example.com
  3. Write a HTTP module in .Net pipeline to redirect user if they type example.com/xyz to www.example.com/xyz. I know this is not recommended.

We would like to do something like what chase.com is doing. If you type chase.com it takes you to https://www.chase.com/.


Solution

  • None of the above. You should get SSL certificate that covers two domains: www.mydomain.com and mydomain.com.

    As per your proposals:

    1) Having wildcard certificate for a single domain of *.mydomain.com will still give you an error when opening mydomain.com without any prefix. You may of course get a multidomain certificate for *.mydomain.com and mydomain.com

    2) For the sake of SSL, it doesn't matter CNAME or A - DNS used to get the address (A record) of your webserver, afterwards browser still expects SSL certificate to match exactly what you type in the address bar.

    3) That would work for http requests, but when user types https://mydomain.com, browser checks SSL certificate before it processes the redirection request, and will still show the warning.

    P.S. You have this problem because CA industry is totally screwed. Their product pages all look like "super 256-bit encryption" (certificate have nothing to do with encryption strength), mobile support (be it mobile or mainframe, certficate is all the same), and "a free site-seal included" (site seal is a great name for a CA advertisement placed on your site).

    All the not important things like is it's CRL or OCSP, or which domain names it covers at all - never mentioned.