SSL Certificate: Multiple Issuers?

TL;DR

No, an SSL certificate cannot be directly signed by two different Certificate Authorities (CAs) at the same time. However, you can achieve similar results using techniques like Subject Alternative Names (SANs) and wildcard certificates, or by having multiple separate certificates for different domains/subdomains.

Understanding the Problem

An SSL certificate is issued by a CA to verify the identity of a website. The CA digitally signs the certificate, confirming its authenticity. The signature process binds the certificate details (domain name, organisation etc.) to the CA’s public key.

Trying to have two CAs sign the same certificate would create conflicting signatures and invalidate it. Browsers expect a single, trusted source for verification.

Solutions & Workarounds

1. Subject Alternative Names (SANs)
• SANs allow you to include multiple domain names or subdomains within a single certificate. This is the most common and recommended approach when you need coverage for several related domains under one CA.
• When requesting your certificate, specify all the domains/subdomains you want covered in the SAN list.
• Example (using OpenSSL configuration file):

[req]
 distinguished_name = req_distinguished_name
 req_extensions = v3_req
 [req_distinguished_name]
 countryName = GB
 stateOrProvinceName = England
 localityName = London
 organizationName = My Company Ltd
 organizationalUnitName = IT Department
 commonName = example.com
 emailAddress = [email protected]
 [v3_req]
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth, clientAuth
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = example.com
 DNS.2 = www.example.com
 DNS.3 = sub.example.com

2. Wildcard Certificates
• A wildcard certificate covers all first-level subdomains of a single domain (e.g., *.example.com). This is useful if you have many subdomains under one main domain.
• Be aware that wildcard certificates don’t cover the root domain itself; you’ll still need a separate certificate for example.com unless it’s included in a SAN list on another certificate.
3. Multiple Certificates
• The simplest solution is to obtain separate certificates from one or more CAs, each covering a specific domain or subdomain.
• This provides the greatest flexibility but can be more expensive and require more management.
4. Certificate Chaining
• While you can’t have two issuers sign *one* certificate, you can chain multiple certificates together to build trust. This involves installing intermediate CA certificates along with your server certificate. The browser verifies the entire chain back to a trusted root CA. This doesn’t mean multiple issuers for one cert; it means verifying the path of trust.

Important Considerations

• Browser Compatibility: All modern browsers support SAN certificates.
• CA Trust: Ensure that all CAs involved are trusted by your target audience’s browsers.
• Certificate Management: Keep track of certificate expiry dates and renew them promptly to avoid service disruptions.