View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions SSL certificates IP and subdomains
Log in to Ask a Question

SSL certificates IP and subdomains

development

Hello,

I am running nginx on centos 5 with many virtual hosts.

I need to install a few SSL certificates for various domains and I am a bit confused. Each domain would have its own and distinct certificate.

(1) Can I install several certificates if the domains share the same IP or do I need a new IP for each certificate and domain?

(2) I have a failover system to redirect traffic to another linode. Would the client to buy two certificates?

(3) I understand that there are single-root certificates and wild-card certificates. In my nginx configuration file, I usually have:

listen some_ip:80;

server_name example.com;

server_name www.example.com;

Would I need a single or a wildcard certificate? Is there a way to write the configuration file so that only the single-root certificate is needed?

Thank you in advance for your answers

5 Replies

For your first question, no, it's not possible. The web server doesn't know what domain you want to access until after the encrypted session begins, and the certificate is needed before session begins. So there's no way for the webserver to know what certificate it should use until after its used the certificate; a paradox.

Wildcard certificates are a solution if the different sites are on subdomains of the same domain, you would use a single certificate for multiple domains (foo.domain.com and bar.domain.com would both use a *.domain.com certificate).

For your second question, no, as long as the failover site uses the same domain; certificates are not tied to IPs, but to domains, as far as the client is concerned.

@Guspaz:

For your first question, no, it's not possible. The web server doesn't know what domain you want to access until after the encrypted session begins, and the certificate is needed before session begins. So there's no way for the webserver to know what certificate it should use until after its used the certificate; a paradox.
Note that technically this isn't an absolute limitation since SNI was introduced (which embeds the server name information within the encrypted session negotiation, so the information is available before the session begins), but I agree in practice at the moment, since unless you know all your clients support it, it may not be a practical solution.

To the OP, you can cover example.com and www.example.com with the "Subject Alternate Names" field in the certificate. For example, the primary CN in the certificate would be for www.example.com (or whichever of the two is your primary use name), but you'd have an alternate name value for example.com (you should also repeat the CN in the SAN field for best compatibility). Making a wildcard certificate (a wildcard value in the CN) would only be needed if you had other hosts/subdomains beneath example.com.

Whether or not your certificate provider lets you create such certificates (or more likely charges more for them) is up to that porvider. Some give them different names like a UC or UCC certificate. Of course, if you're self-signing, do anything you want.

For what it's worth (and only because I just recently had reason to use them, not to try to change to a certificate authority discussion), a free certificate from StartSSL I made recently automatically included the unadorned domain name as an alternate name in the certificate. That is, creating a single host certificate for www.example.com will should include example.com as an alternate name automatically. I've used very few commercial CAs, so maybe that's common behavior, I don't know.

– David

I use apache, and it allows me to setup a cert for a specific vhost. Might consider doing that?

@superfastcars:

I use apache, and it allows me to setup a cert for a specific vhost. Might consider doing that?
That likely uses Server Name Indication (SNI) which requires client support. Client support is actually pretty pervasive, the biggest "blocker" being Internet Explorer running on Windows XP (IE on Vista or 7 is fine). If supporting IE on XP (over HTTPS) isn't a concern for you then using SNI is the ideal solution.

@dbb:

@superfastcars:

I use apache, and it allows me to setup a cert for a specific vhost. Might consider doing that?
That likely uses Server Name Indication (SNI) which requires client support. Client support is actually pretty pervasive, the biggest "blocker" being Internet Explorer running on Windows XP (IE on Vista or 7 is fine). If supporting IE on XP (over HTTPS) isn't a concern for you then using SNI is the ideal solution. Perhaps.. but I'll show you what vhost.conf has in it for that specific cert it needs;

 <virtualhost mywebsite.com:443="">ServerAdmin me@mywebsite.com
        ServerName mywebsite.com
        ServerAlias www.mywebsite.com

        DocumentRoot /path/to/public_html/

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
        SSLCertificateFile /path/to/ssl/mywebsite.com.crt
        SSLCertificateKeyFile /path/to/ssl/mywebsite.com.key
        SSLCertificateChainFile /path/to/ssl/mysslcompany.ca
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        CustomLog /path/to/logs/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
        ErrorLog /path/to/logs/error.log
        CustomLog /path/to/logs/access.log combined</virtualhost>

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct