Search This Blog

Sunday, November 10, 2013

How to use wildcard certificate with alternative name extensions or server name indication (SNI) certificates

There are number of ways how you can incorporate security into your web site. One and the most common method is to use SSL/TLS protocol to create and maintain a secure channel between the client and server.

Normally, by default for every site (for example for every home page URLlike ww.example.com) that you want to protect you need to set up separate SSL/TLS configuration. The most important part of the configuration is the private key and certificate. In standard SSL deployments this leads to a situation that for every new site you have a new public IP that is tight through DNS to URL name that is used as a CN(common name) in the new certificate.

The security of the TLS/SSL protocol heavily depends on the method how the client verifies and confirms and  the identity of your site. The most common and the most important part of the client check is to evaluate and compare the site URL with the CN value embedded in the certificate.

From high level point of view to grantee your sites security you need to protect and mange all your private keys and certificates on all devices like web servers, load balancers etc.

Problem

How to use a single certificate to protect multiple different sites (domains).
How to use a single public IP to host multiple SSL sites.

Solution 1: wildcard plus alternative names
  • Wildcard 
To use a single certificate for multiple sites we can use wildcard certificate. This certificate can be used for all domains with a shared name, like for example *.rado.com. There is a limitation that the wildcard can only be used to mask one single domain level name. That means:

subdomain1.rado.com - ok
sub2.subdomain1.rado.com - bad
  • Alternative names
A certificate can be used to protect 2 and more different domains. For example: ww.rado.com and www.radoninja.com. All what you need is to provide one or more alternative names when registering and buying a certificate.
  • Combine alternative names and wildcard in a single certificate
You can combine these to options. You can have a wildcard certificate with multiple alternative names using wildcard domains, example:

*.rado.com - CN
*.subdomain1.rado.com - alternative name to overcome the wildcard limitation
*.radoninja.com - alternative name for 2th domain
*.subdomain.radoninja.com - another alternative name, etc...

Solution 2

Alternatively to use a single certificate with multiple domains uou can use the newer TLS extension called SNI.

The disadvantage is that SNI is relatively new. There are some older web clients, for example Win XP or some mobile browsers that don't support it yet. That means that  your site may not be available for these clients if you supports only SNI.

Example

http://www.ssltools.com/certificate_lookup/www.wikipedia.org

SSL Certificate

Common Name : *.wikipedia.org 
Subject Alternative Names : *.wikipedia.org, wikipedia.org, m.wikipedia.org, *.m.wikipedia.org, wikibooks.org, m.wikibooks.org, *.wikibooks.org, *.m.wikibooks.org, wikidata.org, m.wikidata.org, *.wikidata.org, *.m.wikidata.org, wikimedia.org, m.wikimedia.org, *.wikimedia.org, *.m.wikimedia.org, wikimediafoundation.org, m.wikimediafoundation.org, *.wikimediafoundation.org, *.m.wikimediafoundation.org, wikinews.org, m.wikinews.org, *.wikinews.org, *.m.wikinews.org, wikiquote.org, m.wikiquote.org, *.wikiquote.org, *.m.wikiquote.org, wikisource.org, m.wikisource.org, *.wikisource.org, *.m.wikisource.org, wikiversity.org, m.wikiversity.org, *.wikiversity.org, *.m.wikiversity.org, wikivoyage.org, m.wikivoyage.org, *.wikivoyage.org, *.m.wikivoyage.org, wiktionary.org, m.wiktionary.org, *.wiktionary.org, *.m.wiktionary.org, mediawiki.org, *.mediawiki.org, m.mediawiki.org, *.m.mediawiki.org 
Issuer Name : DigiCert High Assurance CA-3 
Serial Number : 07:24:ee:a9:7c:55:f2:57:5e:28:8b:a4:cc:f2:0e:8e 
SHA1 Thumbprint : DA:AA:A4:9B:AD:0C:1F:A3:29:71:D8:CC:62:BA:72:D1:A4:DB:94:9F 
Key Length : 2048 bit 
Signature Algorithm : sha1WithRSAEncryption 
Secure Renegotiation: Supported


References

http://en.wikipedia.org/wiki/Server_Name_Indication
http://en.wikipedia.org/wiki/Subject_Alternative_Name
http://stackoverflow.com/questions/2115611/wildcard-ssl-on-sub-subdomain

http://en.wikipedia.org/wiki/Server_Name_Indication
http://www.delantek.com/san.html
https://devcentral.f5.com/articles/multiple-certs-one-vip-tls-server-name-indication-via-irules#.Un832_lpmYI

3.1.  Server Identity
http://www.ietf.org/rfc/rfc2818.txt

http://www.networksorcery.com/enp/protocol/tls.htm


2 comments:

  1. I agree with you. The most important reason is “Search engines love blogging” but yeah, you also need to do posting on regular basis cheap wildcard ssl

    ReplyDelete
  2. A very nice Focus on why we need Cheap Wildcard SSL for our website. Now a days SSL certificate is as must as like SEO for protect our website online.

    ReplyDelete