TLS-CSR questions - wildcards, multi-domain???

[Rich_01227]

Hi. I need to get a TLS certificate for a third-party web app I'm deploying internally - actually it's more of a platform in its own right really, since it manages its own Kubernetes cluster, but that's not important.

I apparently I need a TLS certificate that secures the following domains:

• knime.myorg.com
• apps.knime.myorg.com
• api.knime.myorg.com
• ws.knime.myorg.com
• auth.knime.myorg.com
• storage.knime.myorg.com
• registry.knime.myorg.com

The resulting certificate needs to be in the form of a single pem file - this is dictated by the third-party app.

What's the best way to get TLS certificate(s) to cover these domains?

 

My research suggests that it wouldn't be enough to just get a wildcard for *.knime.myorg.com, since the root domain wouldn't be covered. Although, there seems to be some disagreement on this. Instead, my options seem to be to either get two certificates - one for knime.myorg.com and one for *.knime.myorg.com - or to get a multi-domain/SAN certificate that explicitly covers the above domains.

 

I thought the SAN option made the most sense, since it would produce a single certificate. However, the external IT company we contract with suggested the cheapest option would be to get a wildcard plus root certificate. That said, they quoted me 300 GBP (~380 USD) for the wildcard certificate - for 1 year - and then 60 GBP for the single domain. Does that sound right?

 

Generating the CSR files for either option isn't a problem. I have instructions to follow for generating them with openssl. I'm just a bit confused which I need to pay for and what cost is normal. I would like to double check that, assuming the two certificates is the best option, then I can just concatenate the resulting files into a single pem, right?

 

Thanks.