I have a requirement of providing different domain to each seller in my e-commerce application like Shopify does. I don't think using multiple ssl certificates(one ssl certificate for each domain/seller) is a good option. For managing multiple domains, as I get to know so far is that I can use SAN multi-domain certificates which can handle different domains but only upto 100 different domains. Is it possible to handle multiple SAN ssl certificates on single server? Also I am using load-balancer for my AWS instances, how can I manage my load-balancer in case of multiple SAN ssl certificates. Can any one please answer?
Currently most certificate authorities limit the maximum number of SANs you can request in a single certificate to around 100, although, I've heard of some offering up to 150.
You can use multiple SSL certificates in Apache with multiple VirtualHost blocks, and Nginx with multiple server blocks. You can also specify multiple certificates for the same VirtualHost or server block, if you didn't want to split them up. Or if each client is getting their own block anyway, you can just point them all to the same certificate that has their domain in the SAN field. It just depends on your setup.
Whichever method you choose, you'll want to ensure that the VirtualHost or server block has a ServerName (apache) or server_name (nginx) listed for each SAN it will be answering for.
As for load balancing with multiple certificates in AWS, Amazon implemented support for this recently (October 2017).
Related
I have Wild Card SSL Certificate and i need to implement it on multiple domains. on first it is being implemented and on second i have to implement. Is it possible that i can implement the same certificate on Two Domains. Domains are hitting the same IP Address, means hosted on same server. But having different Domains first is like: https://erp.example.com and Second is http://app.example.com. Both application are differently hosted on IIS.
Please suggest.
If the certificate is a *.example.com cert, then yes, you can. That is, after all, the whole point of a wild card certificate: to support any domain combination of the base domain.
We do it ourselves.
I'm unsure if that is your actual question though.
If you have enabled your Wildcard SSL certificate for your domain *.example.com then yes you can secure both subdomains erp (.dot) example.com and app (.dot) example.com.
Below resources will help you to install Wildcard SSL certificate on IIS server very easily:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO19990
https://www.clickssl.net/blog/how-to-install-wildcard-ssl-certificate-in-iis-7
You are questioning about two domains, but actually you have two sub-domains under single domain and if you already have Wildcard SSL certificate, your all sub-domains will be protected. Wildcard SSL issued on *.example.com will automatically secure unlimited number of sub-domains. It does not really matter your sub-domains are hosted on same server or differently, you can secure all with Wildcard Certificate.
What will be secured with single Wildcard SSL;
https://app.example.com
https://erp.example.com
https://anything.example.com
Ps: Wildcard certificate will help you secure sub-domain only first level.
I have one website will be accessed by multiple different domains and will have separate SSL certificates for each.
Is it possible?
IF no then Is there any work around to install multiple certificates for single web site?
Instead of having separate SSL certificate for each domain you can go for Multi domain certificate using Subject Alternative Names (SAN). It will be single certificate with multiple domains. Following image shows SAN certificate.
Image Courtesy : DigiCert
SSL Certificate can only be issued to a FQDN (fully qualified domain name).
You better have elaborated your question with examples. By the way, let me guess and try to answer. As you said “You have one website – will be accessed by multiple different domains” - if I'm not wrong your are talking about one website which may be www.domain.com and multiple domains may be sub-domains like, blog.domain.com, photos.domain.com or anything.domain.com. If I have hit bulls eye, you don't need to get different SSL Certificates because all this domain can be secured with single Wildcard SSL Certificate. Wildcard SSL works on asterisk, so it will issued on *.domain.com and anything in place of asterisk will be covered.
But make a note, Wildcard SSL can work only on single level so something like blog.photos.domain.com will not be secured if you have got certificate for *.domain.com
Different Scenario: If you have something like this, domain.com, domain.co.uk, domain.com.eu etc. and it can be secured with different certificates. It may be costly deal if you have 20-30 or more domains, ideally you can get one multi-domain certificate to secure all these. Visit this article which will help you understand difference between Wildcard SSL and SAN functionality more deeply.
I am trying to host 2 sites on a single IP address and they need to be accessed via SSL however the majority of my users use Internet Explorer on Windows XP meaning using multiple SSLs with SNI may prevent them getting access.
I was wondering if I could use a multiple virtual hosts but still use a single SSL certificate and avoid SNI ?
Alternatively how feasible is it for me to install two Apache webserver instances, each its own DocumentRoot and own SSL certificate and for me to simply use the first Apache webserver as an entry point to entertain some requests and to redirect others to the other SSLed Apache instance ?
Could I potentially use the Windows Host file (Windows 2008 Server) to redirect incoming requests to the intended Apache Server instead of using VirtualHosts ?
Apologies if I have confused concepts.
You can try to purchase an X.509 certificate with two domains in it. I don't know what particular CAs do this, but I also don't see why they would refuse. You need to ask their support, though.
Your idea to redirect some requests to another server residing on a different port sounds good as well, though you will have to use two different certificates for different domain names, of course.
Finally if your second domain can be something like additional.mydomain.com , you have greater chance to buy a certificate issued for mydomain.com + www.mydomain.com + additional.mydomain.com (this can be a wildcard certificate or a certificate with additional subdomain names).
I am running a multi-language web store accessible from differents domains, that lead to different languages.
The apache configuration is quite complex and I would like to have one single file shared with all the stores. I had this in place until I had to introduce SSL.
When it comes to apache and SSL certificates I would need to do something like:
SetEnv is_es 0<br>
SetEnvIfNoCase Host .*es is_es 1<br>
SSLCertificateFile /etc/ssl/certs/spanish.server.crt env=is_es<br>
This is aparently not possible, apache tells me:
<i>SSLCertificateFile takes one argument, SSL Server Certificate file (`/path/to/file' - PEM or DER encoded)</i>
I was wondering if there is any workaround. My goal is to avoid having different copies of the same configuration and having to propagate manually any changes I want to make.
It is hosted on a dedicated server, so I am free to do any changes to the setup.
When you are on a https connection, the Host header is inside the SSL encapsulation, so you need the full SSL handshake before you check for an hostname for your virtualhost.
You should go for SSL certificates with SAN (Subject Alternative Names), this will allow that a single certificate for multiple hostnames. (or a wildcard cert)
All the main browsers supports it already:
http://www.digicert.com/subject-alternative-name-compatibility.htm
And you can get one of this certs from the majors CAs:
http://www.digicert.com/subject-alternative-name.htm
http://www.verisign.com/ssl/buy-ssl-certificates/subject-alternative-name-certificates/index.html
http://www.thawte.com/ssl/san-uc-ssl-certificates/index.html
A co-worker told me that when you visit a website over SSL the certificate no longer guarantees that you're actually dealing with the intended recipient. This is due to something called "multi-domain SSL certificates". A quick google search seems to show these exist - but I was always under the impression SSL provided encryption and authentication. Is this no longer the case? Surely this is a step in the wrong direction?
There are wildcard certificates, which allow all hosts in one domain to be covered by the same cert. They're more expensive to get issued (since the CAs wouldn't make as much money as if you'd ordered multiple separate single-domain certs), but when you need to cover multiple hostnames in your domain with ssl, it can be quite a savings.
A properly issued cert will cover at LEAST one host name, like www.example.com. And with wildcarding, can cover *.example.com.
SSL by itself guarantees nothing in the way of identification - simply that the link is encrypted. Any certificate will do that for you - even self-signed ones. What you get with the "commercial" certs is a (theoretically) trustworthy third party saying "we've verified that the person who this www.example.com certificate was issused to really is www.example.com"
In addition to given answer, i would like to add few points about SAN (multidomain SSL). First of all, wildcard is not a multi-domain ssl, it only protects unlimited sub-domains as already explained by Marc.
To protect multiple domains like:
domain.net
domain.com
mail.domain.com
newdomain.com
you will require SAN certificates that start from just $60.
you can configure multi domain with SSL on both UBUNTU and REDHAT by following the document Multi domian with ssl