Normally, by default for every site (for example for every home page URLlike ww.example.com) that you want to protect you need to set up separate SSL/TLS configuration. The most important part of the configuration is the private key and certificate. In standard SSL deployments this leads to a situation that for every new site you have a new public IP that is tight through DNS to URL name that is used as a CN(common name) in the new certificate.
The security of the TLS/SSL protocol heavily depends on the method how the client verifies and confirms and the identity of your site. The most common and the most important part of the client check is to evaluate and compare the site URL with the CN value embedded in the certificate.
Problem
How to use a single certificate to protect multiple different sites (domains).
How to use a single public IP to host multiple SSL sites.
Solution 1: wildcard plus alternative names
- Wildcard
subdomain1.rado.com - ok
sub2.subdomain1.rado.com - bad
- Alternative names
- Combine alternative names and wildcard in a single certificate
You can combine these to options. You can have a wildcard certificate with multiple alternative names using wildcard domains, example:
*.rado.com - CN
*.subdomain1.rado.com - alternative name to overcome the wildcard limitation
*.radoninja.com - alternative name for 2th domain
*.subdomain.radoninja.com - another alternative name, etc...
Solution 2
Alternatively to use a single certificate with multiple domains uou can use the newer TLS extension called SNI.
The disadvantage is that SNI is relatively new. There are some older web clients, for example Win XP or some mobile browsers that don't support it yet. That means that your site may not be available for these clients if you supports only SNI.
Example
http://www.ssltools.com/certificate_lookup/www.wikipedia.orgSSL Certificate
Common Name : *.wikipedia.org
Subject Alternative Names : *.wikipedia.org, wikipedia.org, m.wikipedia.org, *.m.wikipedia.org, wikibooks.org, m.wikibooks.org, *.wikibooks.org, *.m.wikibooks.org, wikidata.org, m.wikidata.org, *.wikidata.org, *.m.wikidata.org, wikimedia.org, m.wikimedia.org, *.wikimedia.org, *.m.wikimedia.org, wikimediafoundation.org, m.wikimediafoundation.org, *.wikimediafoundation.org, *.m.wikimediafoundation.org, wikinews.org, m.wikinews.org, *.wikinews.org, *.m.wikinews.org, wikiquote.org, m.wikiquote.org, *.wikiquote.org, *.m.wikiquote.org, wikisource.org, m.wikisource.org, *.wikisource.org, *.m.wikisource.org, wikiversity.org, m.wikiversity.org, *.wikiversity.org, *.m.wikiversity.org, wikivoyage.org, m.wikivoyage.org, *.wikivoyage.org, *.m.wikivoyage.org, wiktionary.org, m.wiktionary.org, *.wiktionary.org, *.m.wiktionary.org, mediawiki.org, *.mediawiki.org, m.mediawiki.org, *.m.mediawiki.org
Issuer Name : DigiCert High Assurance CA-3
Serial Number : 07:24:ee:a9:7c:55:f2:57:5e:28:8b:a4:cc:f2:0e:8e
SHA1 Thumbprint : DA:AA:A4:9B:AD:0C:1F:A3:29:71:D8:CC:62:BA:72:D1:A4:DB:94:9F
Key Length : 2048 bit
Signature Algorithm : sha1WithRSAEncryption
Secure Renegotiation: Supported
References
http://en.wikipedia.org/wiki/Server_Name_Indication
http://en.wikipedia.org/wiki/Subject_Alternative_Name
http://stackoverflow.com/questions/2115611/wildcard-ssl-on-sub-subdomain
http://en.wikipedia.org/wiki/Server_Name_Indication
http://www.delantek.com/san.html
https://devcentral.f5.com/articles/multiple-certs-one-vip-tls-server-name-indication-via-irules#.Un832_lpmYI
3.1. Server Identity
http://www.ietf.org/rfc/rfc2818.txt
http://www.networksorcery.com/enp/protocol/tls.htm
Posts
I agree with you. The most important reason is “Search engines love blogging” but yeah, you also need to do posting on regular basis cheap wildcard ssl
ReplyDeleteA very nice Focus on why we need Cheap Wildcard SSL for our website. Now a days SSL certificate is as must as like SEO for protect our website online.
ReplyDelete