Do I need to buy 2 SSL certificate?

Hi, I have configured 2 virtual machines with virtualmin, the first one with apache + dns (master) and the second one with postfix, dovecot and bind (slave).

Now I plan to protect these services with SSL.

The Godaddy standard certificate “Contains only the domain name” but I have to manage two different IP Address.

Do I need to buy 2 different standard SSL certificate or I can use the same for different VPS with same domain name?

Sorry if someone has already asked it in previous posts and thanks a lot for your response.

I think you could be use it for different VPS (at least this is what I would ty first).

Also: why buy an SSL certificate, maybe a free SSL certificate from would be enough?

You can use one certificate on as many servers as you want - the IP address is not part of the cert. As long as the domain name that the client software (web browser, email client) uses is the one (or one of the aliases) present in the certificate, you’re good to go.

I’m just wondering though how to plan to configure your two virtual machines exactly… They do need different IP addresses, and if you use one hostname, that can only resolve to one IP address. How are you planning to differentiate between your web and mail server?

(Yeahyeah I know, hostnames can resolve to multiple IP addresses, but that’s for random load balancing purposes. :slight_smile: )

Helpmin, Locutus, thanks a lot for the suggestions.

May be a free SSL certificate would be enough; I’ll do some tests with it.

I plan to configure the “domain.tld” with ip address of VPS with httpd + bind (master) and then create a MX record that point to the other VPS with dovecot + postfix + bind (slave).

Of course, every time I need to create a new domain I must do a double activity but I prefer split web services from mail services.

Mmh, problem here is: The MX record is not relevant in terms of certificate.

The MX record is used when other mail servers deliver mail to your system. Those do not use SSL, but connect regularly to port 25.

SSL is used when your users fetch or send email, via POP3/IMAP and SMTP. They will/can connect via SSL, but they don’t use the MX record for that, but a specific hostname you tell them to use. For example, “mail.domain.tld”. That hostname naturally must be different from your “domain.tld” since it must resolve to a different IP address.

Hence for your scenario, you will need either two separate certificates, or one certificate with multi-domain or wildcard functionality. Both of which is not usually available in free certificates.

StartSSL offers creating multiple separate free certificates though, which you can use here.

Great tips, thanks Locutus.

In MX record I’ve inserted the VPS hostname but, as you suggested, an entry like “mail.domain.tld” is much more elegant.

Moreover, I have to think about free SSL certificates versus a multi-domain one.

Anyway what isn’t really clear for me if I can manage my configuration with multiple domains with only 2 certificates (one for web server VPS and another one for mail service VPS).

I imagine that I must get 2 free certificate for any domain that I plan to manage on those VPS, isn’t it?

In that way this configuration isn’t very manageable.

Actually, I had the very same thing to consider just a few days ago. :slight_smile:

Indeed, if you wish to use “mail.customerdomain.tld” for each of your domains, you’ll need a multi-domain certificate and re-create it each time a new domain is added. That’s because unlike Apache, the mail server (Postfix/Dovecot) can use only one certificate in general. (There are ways to apply different certs per local IP, but it’s complicated, and you won’t want to do that, and surely not waste an IP for every domain just for email.)

You could tell all your domain users to use one specific servername, like “sslmail.hosterdomain.tld”, no matter what the customer domain is.

In my specific environment, I want to be able to relocate individual domains between my servers, so they need individual servernames also for email.

So, the way I did it was I made a wildcard certificate for “*.sslmail.hosterdomain.tld”, and every domain that I host gets, in addition to “customerdomain.tld”, an entry in that zone named “customerdomain.sslmail.hosterdomain.tld”. I tell the customers/users that they have to use that servername if they want to use SSL without certificate warnings.

I also made a script that composes the sslmail zone from all Virtualmin domains that have email enabled. That script is executed automatically each time any change to virtual servers is made.

It’s a bit more complicated and yields slightly longer servernames for email, but it’s the only really feasible way to do this.

Unfortunately you’ll probably need to pay for those certificates; I know of no cert service that offers wildcard certs for free. I personally use the class 2 validation of StartSSL, which costs $60 per year for unlimited certs.

your explanation was very clear (are you a writer of technical white paper ? :slight_smile: ) and the configuration that you implemented in your environment is surely great but is a little bit tricky for my knowledge.

I need to split web from mail services and I don’t need to relocate individual domains between servers (I hope), so, I have to implement the easier possible configuration for me.

I plan to start with a specific servername like “sslmbx.mydomain.tld” with a free StartSSL class 1 free certs and then change this configuration in case of necessity.

Anyway, you configuration is really interesting but I need to do some tests and to study another bit :wink:

I also need to clarify how to configure a secondary (backup) mail server but this is another story.

Thank you so much for your suggestions!

You’re welcome! :slight_smile:

Whitepapers… well kinda. I work at a University and do have to write documentations and speeches from time to time. :slight_smile:

If you don’t need to split your domains, you can indeed go the easiest way and use one specific servername for your SSL connection, and make the certificate for that. That’d be a good start, and makes it easier for both you and your users.

My configuration is indeed trickier, but as usual, when you know how it works, it’s easy to reproduce. :slight_smile: I can give you some help, if and when need be, by logging into your system and configuring some stuff.

Locutus, thanks for your suggestions and your help.

I’ll proceed with the easier configuration without splitting the domains and with a single mail server.

In this way I’ll be able to recover the system myself without too much problems in case of faults.

In the meanwhile I’ll continue to study this great product to be able to evolve my configuration in the future.