TL;DR
For securing two domains plus all subdomains, a Wildcard SSL certificate is the best option. It’s more cost-effective and easier to manage than individual certificates.
1. Understanding Your Options
You have several choices for securing your websites with SSL/TLS:
- Single Domain Certificate: Secures one domain (e.g.,
www.example.com). - Multi-Domain (SAN) Certificate: Secures multiple, specific domains and subdomains listed in the certificate. Requires renewal if you add new domains/subdomains.
- Wildcard SSL Certificate: Secures a domain and all its first-level subdomains (e.g.,
*.example.comsecureswww.example.com,blog.example.com,mail.example.cometc.).
Given your requirement of two domains *and* all their subdomains, a Wildcard certificate is the most efficient.
2. Choosing a Certificate Authority (CA)
Several reputable CAs offer Wildcard SSL certificates. Some popular options include:
- DigiCert: Generally more expensive but highly trusted.
- Sectigo (formerly Comodo): Good balance of price and trust.
- Let’s Encrypt: Free, automated, and open CA. Requires technical knowledge for setup/renewal.
For simplicity, we’ll focus on Sectigo as a good all-rounder.
3. Purchasing the Wildcard Certificate
- Visit the Sectigo website: Go to https://www.sectigo.com
- Select a Wildcard SSL certificate: Choose a suitable plan (DV, OV or EV – see Step 4).
- Add to cart and checkout: Provide the domain name you want to secure (e.g.,
*.example.com) during purchase.
4. Certificate Validation Levels
SSL certificates come in different validation levels:
- Domain Validated (DV): Quickest and cheapest. Verifies you control the domain. Suitable for blogs or personal websites.
- Organization Validated (OV): More thorough, verifying your organisation’s details. Recommended for businesses.
- Extended Validation (EV): Highest level of trust, displaying a green address bar in browsers. For high-security applications like e-commerce.
For most business websites, an OV Wildcard SSL certificate is recommended.
5. Generating a Certificate Signing Request (CSR)
You’ll need to generate a CSR on your web server. The process varies depending on your server software:
- Apache: Use the
opensslcommand:openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csrFollow the prompts to enter your server details.
- NGINX: Use the
opensslcommand (similar to Apache). - cPanel/Plesk: Usually a CSR generation tool within the control panel.
Ensure you store the private key file (e.g., example.com.key) securely.
6. Submitting the CSR to Sectigo
- Log in to your Sectigo account: Access the order details for your purchased certificate.
- Paste the CSR: Copy and paste the contents of your
example.com.csrfile into the designated field. - Complete validation: Follow Sectigo’s instructions for domain/organisation verification (usually email confirmation).
7. Installing the SSL Certificate
Once validated, Sectigo will provide you with the certificate files:
- Certificate file (.crt): The main SSL certificate.
- Intermediate certificates (bundle): Required for browser compatibility.
Installation also varies by server software:
- Apache: Edit your virtual host configuration file to include the certificate and intermediate certificates.
SSLEngine on SSLCertificateFile /path/to/example.com.crt SSLCertificateKeyFile /path/to/example.com.key SSLCertificateChainFile /path/to/intermediate_bundle.crt - NGINX: Edit your server block configuration file.
ssl_certificate /path/to/example.com.crt; ssl_certificate_key /path/to/example.com.key; ssl_trusted_certificate /path/to/intermediate_bundle.crt; - cPanel/Plesk: Use the SSL/TLS manager within the control panel to upload and install the certificate files.
Restart your web server after installation.
8. Testing Your Installation
- Use an SSL checker tool: Websites like https://www.sslshopper.com/ssl-checker.html can verify your certificate installation.
- Check in a web browser: Visit
https://www.example.comand ensure you see the padlock icon, indicating a secure connection.