SSL Certificate SAN or Wildcard? [closed] - ssl

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 months ago.
Improve this question
I'm wanting to cover the a few domains with an SSL Certificate.
e.g.
portal.domain.com
app.domain.com
app1.domain.com
app2.domain.com
I'm a bit confused as to whether I can go for the cheaper Unified Communications Certificate, or whether I need to fork out for a wildcard certificate.
Is the only difference that the wildcard can have an unlimited number of subdomains, where the UCC only covers a set number under the SANs?
Thanks in advance

Yes, you are right Unified Communications Certificate covers a set on SANs but it can secure multiple domains, and hosts configured in your Exchange server where a traditional wildcard SSL cannot. For e.g. A wildcard ssl can secure first level of sub-domains like *.example dot com where a Unified Communications Certificate secures www.example dot com, www.example dot net etc.

Yes. Keep in mind that some old X.509 implementations might not support SAN, but that's pretty rare today (some Symbian OS phones for example, see http://www.digicert.com/subject-alternative-name-compatibility.htm).

Generally, a domain name or URL requires just one certificate to be secure. But what if you need to secure multiple domains? How can you manage their security without sacrificing budget and time?
Securing Multiple Domains
Securing multiple domains can be achieved with 2 approaches, Wildcard certificates and Unified Communications Certificates (UCC), also known as SAN (Subject Alternative Name). SAN lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, while a Wildcard certificate can support a single domain and an unlimited number of first-level subdomains. SAN/UCC can also be combined as an extension with a Wildcard to add functionality to the certificate. You can combine these two certificates as a Multi-domain Wildcard SSL Certificate depending on your needs. This makes managing the security of multiple websites much easier and cheaper than managing a separate SSL certificate for every domain you own.
Read More: Wildcard Vs SAN/UCC Certificates

It's only cheaper up until a certain number of domains, because UC and SAN certs charge by each domain name. You'll notice the price changes as you enter and subtract domains from this UCC link
If you know that you will have more than say 5 subdomains, save some cash with the wildcard because it's a set prices regardless of the number of sub domains.

UCC and SAN is only recommended for exchange server. your requirement seems like you need ssl with common name *.domain.com so that single ssl works for all sub-domains.
Know what exactly UCC and SAN is..
UCC / SAN cert is recommended only if you need to secure different tld like urdomain.com urdomain.co.uk urmydomain.net. This kind certs cost too much as it starts from $200.
Answering your question, I checked few brands wildcard ssl RapidSSL wildcard, comodo positive ssl wildcard, globalsign alphassl wildcard, geotrust wildcard ssl. I tested these brands installed ssl website in my iPhone and Samsung android phone. All works perfect.

I reviewed many ssl providers for UC certificates pricing. Apart from the pricing, I found some ssl providers sell same product with different names, like multi-domains ssl, san certificate and uc certificates.
Microsoft exchange server requires typical UC certificate, strongly recommended by Microsoft. I decided to purchase UC certificate but it costs too much, starts from $300 to $600 with veriour providers like comodo, globalsign, digicerts etc. First I purchase single domain ssl and failed in exchange server installation. I thought could save $$$ with single domain ssl.
Later I searched for UC certificate prices $50 to $100 and found ssl2buy ssl company provides comodo uc certificates for $60 only and it includes 4 domains.
https://www.ssl2buy.com/comodo-multi-domain-ssl.php
I purchased this uc certificate and installed on my exchange server. It works fine! No error - No installation issue, nothing.

Related

How to setup multiple https-capable subdomains in MAMP Pro?

I can set them up one-by-one with self-signed certs, but it's not practical for how many subdomains I'm working with.
Is there an easier way to do this?
Easiest is to use a wildcard certificate signed by a recognized authority. That also makes the certificates valid and validatable which is not the case for self signed certificates.
A wildcard certificate costs a fee for the signing service. Some 20 Euros a year currently. And you obviously have to go through a verification process, typically per telephone. The Let's Encrypt certificates are great, but they do not offer wildcard certificates. You certainly can automate the creation of their certificates by scripting, though, if you are willing to invest effort into that.
I personally used startssl in the past. Their portal is a bit difficult to use, but things work, and I failed to find anything comparable if it comes to prices. You need their "level 2" for a wildcard certificate, the free certificates are always for a single host name only. Each wildcard certificate will cost extra, obviously, but similar obviously you can use a single wildcard certificate with all host names within a given domain name which is what you are looking for I think.

Is a Wild Card SSL Certificate recommended?

I have below domains, buying a single wild card certificate beneficial? Or do I need to buy separate SSL certificates.
abc.example.com.au
abc.example.com.nz
abc.api.module.example.com
abc.api.global.example.com
Do I need to consider anything, when buying the SSL for the above domain. Appreciate your inputs.
Probably a better question for ServerFault or SuperUser, but since you're here, a wildcard certificate will only work for subdomains and only one level deep, so it would not work for any of the examples you mentioned.
Example: A cert with cn=*.example.com would work with a.example.com or b.example.com, but not 1.a.example.com. See https://en.wikipedia.org/wiki/Wildcard_certificate for more details.
Also, when using a wildcard does make it simpler to manage your certificates and renewals and applying updated certs and whatnot because the generation process only has to be done once and the same files and configs can be copied to all servers. Consider though that, if there is some kind of security issue with the wildcard cert, then it would affect all servers that use that cert. So a breach on one server would affect all servers and a problem with one would require an update to all servers that use it.
For these reasons, I generally use wildcard certs for non-production systems, and individual certs for production systems.
Single Wildcard SSL Certificate will not work in your all sub-domains.
You have now 3 options.
Get two different wildcard domains
Get a Multi Domain SSL (it will allow you to add sub-domains as well)
Get a Multi Domain Wildcard SSL Certificate (combination of 100 multiple domains and unlimited number of level-1 sub-domains).

Wildcard SSL - Which to chose and what is the key differences? [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 7 years ago.
Improve this question
I have been left in confusion for quite some time in deciding which CA should I approach to obtain a SSL certificate. Much comparison has been made from different CA but I do not see what is the key differences that sets each other apart except the price they offer. Of cause typical buyers would have just gone to the cheapest they can find buy me on the other hand would like to know what are they actually offering given the price difference I am very sure there will be something distinctive between each other.
Now back to my question, I wanted to purchase a wildcard SSL for my website because I have several running sub-domains and of cause I do not want to purchase and EV for each of the site since I am not running a super huge company yet. I am comparing between 3 different CA which offers wildcard SSL namely:
DigiCert Wildcard Plus - USD595/year
Comodo Wildcard SSL - USD405/year
Comodo PremiumSSL Wildcard from namecheap.com - USD169/year
GoDaddy Deluxe Wildcard SSL - USD399/year
Noted that I am intended to purchase for 1 year at current moment since the website is still under the pilot stage. Now to my understanding the only key difference I can see between these 3 is the insurance coverage. Off the major price difference, what else sets them apart from each other? Which one would you suggest me to get or is there any other reliable CA that you could recommend?
In addition I would also like to inform that I am making a purchase with budget constraints. Preferable something that is less than USD600 per year.
The main things to consider when purchasing a wildcard certificate are:
If you want the certificate to support the domain itself (e.g., domain.com) in addition to subdomains (*.domain.com), then make sure that the wildcard vendor you choose supports Subject Alternative Name extension.
Before you buy, make sure you know who you are buying from. The link you supplied is a reseller of Comodo certificates (not Comodo itself), which is why it is less expensive than the others. If you look, you will find several other vendors that sell inexpensive Comodo wildcard certificates. Most of the resellers are probably ok - just make sure that their root certificates are trusted with all of the major clients you want to support.
If you intend to use the wildcard certificate for shopping, you may want to get a certificate with Extended Validation (EV). Some certificate vendors may not offer this.
An SSL certificate may have multiple chains to different root certificates. If you intend to support older web clients (i.e., IE6, IE8, Java 6, 7, Android 2.3) then you want a certificate with a path to a SHA1 signature in addition to a path to a SHA2 signature.
Some vendors may provide 4096 bit certificates, others may provide 2048 bit certificates. A few years ago, the transition from 1024 bit to 2048 bit occurred at different times for different vendors.
Test first with a self-signed wildcard certificate, so that you know exactly what your minimum requirements are. You will need to create your own private key and CSR anyway, so self-signing is a good way to test before you buy.
If you are trying to keep costs low, then start with the lowest-cost certificate you can find. Most vendors will give you a 30-day trial certificate. Use that time to refine your web server configuration and test client compatibility. One of my sites uses a PremiumSSL Wildcard from Comodo and another is using a reseller's wildcard certificate, and when set up properly there is no noticeable difference.

connecting SSL to subdomain [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have an SSL assigned to my main domain and I'm wondering if I can use the SSL to my sub-domain!! I frankly tried it out, but it shows warning page saying that this page is not safe or so on. Is there a solution to this so I can use the SSL on my sub-domain to let clients send their info on a secure connection.
The error message " This webpage is not available"
X.509 certificates (often called "SSL Certificates") are usually only bound to a single domain, usually mydomain.example, www.mydomain.example or secure.mydomain.example. They cannot be used on any other domain name, even if it's a subdomain (so a certificate for mydomain.example cannot be used for www.mydomain.example and vice-versa).
There currently exist 2 other types of certificates which can be used to simultaneously secure multiple domain names simultaneously:
A relatively new type of certificate called an "SAN Certificate" - short for "Subject Alternative Name" - also sometimes called "Unified Communications Certificates" after a feature in Microsoft Exchange Server which requires this certificate type. These certificates declare a finite list of hostnames they can be used against.
Then there's wildcard certificates. Historically these were very expensive but recently we've seen a huge drop in price. With one of these certs you can secure anysubdomain.mydomain.example including the top-level mydomain.example.
Without either of these SSL certificates you'll need to get an SSL cert for each domain name you want to secure.
Note that having a different certificate for each hostname/domain-name can cause problems because the TLS system establishes security for the channel before the HTTP Host: header is sent - this means that each secured website will need its own IP address or port number.
...unless you use SNI (Server Name Identification) certificates. The good news is that all modern browsers and servers support it SNI, so multiple secure websites can share IP addresses and port bindings with their own certificates (so without needing a single SAN certificate that lists all domains on it).
The bad news is that Internet Explorer on Windows XP cannot connect to SNI websites (but Chrome and Firefox are okay), and on the server-side you need at least Windows Server 2012 or later. So adopt SNI based on how popular IE+XP usage is.

SSL Certificates - differences [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 12 years ago.
Improve this question
How come the prices on SLL certificates are so drastically varied? GoDaddy and Namecheap for example have them starting at $9 and $49 respectively. Then Verisign has them starting at $1500!
What's the difference? That's a huge price difference.
I have an application where each user account is on it's own subdomain, and so I need a certificate that covers them all.
Thoughts, suggestions?
The actual differences are:
Price
Support
Level of Certificate Validation
Who/what trusts the Root CA
Really, It all comes down to the Root CA (Certificate Authority).
Verisign's Root CA is trusted by pretty much every device and browser out there.
If you purchase a certificate from (say) GoDaddy, then it will probably be trusted by your major browsers and operating systems. However, if you need SSL certificates to work on a particular brand of set-top-box, or mobile device, then you need to find out what Root CA's they trust.
While the certificate from an untrusted Root CA will still be perfectly valid, the device (browser, gadget, whatever) has no way to verify that it's a legitimate certificate.
I believe the cost of an SSL cert generally comes down to things like encryption strength, issue time, update time, support, warranty, and things of that nature.
With regard to users on sub domains how about a wildcard ssl certificate from Comodo? Expensive but will cover your entire site in one hit.
http://www.instantssl.com/ssl-certificate-products/ssl/ssl-certificate-sgc-wildcard.html
Edit Found a comparison site http://www.whichssl.com/comparisons/index.html
there are diffrent types of levels of ssl, meaning more verified = more money in short...
It's all about the marketing. A Godaddy cert will get you just as far as a Verisign one (I know, I've had both).