Web Hosting SSL Certificates can sometimes cost as much, or more than the monthly hosting cost. An open-source equivalent is Lets Encrypt. Lets Encrypt is a Non-Profit Organisation helping non-corporate individuals to make sure that their website/ mail-server meets SSL requirements.
SSL Certificates come in different levels of security – and the basic one is that the Certificate is tied to the DNS record that it states it is from, and is not on a black-list. Lets Encrypt increased levels of SSL Certificates, which require various documents to be submitted, reviewed and approved – each taking a longer time to get a SSL Certificate created.
For the ThinkingHat website, we have currently stuck to the basic one.
When new domains get created, it allows for the existing certificates to be expanded.
Installing and Using Certbot
Installing Certbot on most Linux distributions is straightforward. On Debian and Ubuntu, we can install it using apt-get:
$ sudo apt-get install certbot
Once installed, Certbot can be invoked from the command line to obtain and install certificates. For instance, we can request a certificate for a specific domain:
$ sudo certbot certonly --manual --preferred-challenges=dns -d example.com
This command utilizes the DNS-01 challenge mechanism interactively to validate domain ownership and issue the certificate.
Issuing a Certificate for a Domain with Multiple Subdomains
In scenarios where we need to secure multiple domains or subdomains with a single certificate, Certbot simplifies the process. For example, we can specify all the domains we want to include in the certificate request:
$ sudo certbot certonly --manual --preferred-challenges=dns -d example.com -d www.example.com -d blog.example.com
This command generates a single certificate covering all specified domains. The certificate can be installed on multiple servers if our subdomains are hosted elsewhere. The maximum number of subject alternative names allowed per certificate is 100 as of the time of writing of this article.
Expanding an Already-Issued Certificate
Sometimes, we may need to add more domains to an already-issued certificate. Certbot’s –expand option comes in handy for this purpose. After issuing the domains’ certificate, we can expand it to include additional subdomains:
$ sudo certbot certonly --expand --manual --preferred-challenges=dns -d example.com -d www.example.com -d blog.example.com -d store.example.com
This command issues a new certificate that replaces the existing one, now including the newly added domain along with the previously covered domains.
Issuing a Certificate for a Wildcard Domain
Another scenario we may encounter is when we need to secure multiple subdomains with a single certificate without prior knowledge of the subdomain names. In this case, we can opt for a wildcard certificate. Wildcard certificates require using the DNS-01 challenge:
$ sudo certbot certonly --manual --preferred-challenges=dns -d example.com -d *.example.com
This command generates a certificate covering the base domain, example.com, in addition to any number of direct subdomains, such as blog.example.com, web.example.com, etc.
