TL;DR
No, an SSL certificate cannot be directly signed by two different Certificate Authorities (CAs) at the same time. However, you can achieve similar results using techniques like Subject Alternative Names (SANs) and wildcard certificates, or by having multiple separate certificates for different domains/subdomains.
Understanding the Problem
An SSL certificate is issued by a CA to verify the identity of a website. The CA digitally signs the certificate, confirming its authenticity. The signature process binds the certificate details (domain name, organisation etc.) to the CA’s public key.
Trying to have two CAs sign the same certificate would create conflicting signatures and invalidate it. Browsers expect a single, trusted source for verification.
Solutions & Workarounds
- Subject Alternative Names (SANs)
- SANs allow you to include multiple domain names or subdomains within a single certificate. This is the most common and recommended approach when you need coverage for several related domains under one CA.
- When requesting your certificate, specify all the domains/subdomains you want covered in the SAN list.
- Example (using OpenSSL configuration file):
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = GB
stateOrProvinceName = England
localityName = London
organizationName = My Company Ltd
organizationalUnitName = IT Department
commonName = example.com
emailAddress = admin@example.com
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = sub.example.com
- A wildcard certificate covers all first-level subdomains of a single domain (e.g.,
*.example.com). This is useful if you have many subdomains under one main domain. - Be aware that wildcard certificates don’t cover the root domain itself; you’ll still need a separate certificate for
example.comunless it’s included in a SAN list on another certificate.
- The simplest solution is to obtain separate certificates from one or more CAs, each covering a specific domain or subdomain.
- This provides the greatest flexibility but can be more expensive and require more management.
- While you can’t have two issuers sign *one* certificate, you can chain multiple certificates together to build trust. This involves installing intermediate CA certificates along with your server certificate. The browser verifies the entire chain back to a trusted root CA. This doesn’t mean multiple issuers for one cert; it means verifying the path of trust.
Important Considerations
- Browser Compatibility: All modern browsers support SAN certificates.
- CA Trust: Ensure that all CAs involved are trusted by your target audience’s browsers.
- Certificate Management: Keep track of certificate expiry dates and renew them promptly to avoid service disruptions.