On a server containing multiple unrelated sites what is the best solution, in general, for applying SSL security to each site? Individual certificates for each site or a SAN certificate?
Asked
Active
Viewed 1,165 times
2 Answers
8
If the sites are unrelated it would be best to have different certificates. And if the different domains have different owners more so.
But, multiple certificates on the same system can be a problem when you try to serve multiple domains from a single IP address. In this case the client needs to use the Server Name Indication (SNI) extension to signal the server which of the hosts it tries to access. While SNI is supported by all recent web browsers it is not supported by older browser (IE8 on XP) and several programming languages still have problems with it: support for SNI was added to python only with 2.7.9 a year ago so lots of systems don't support it. And while SNI is available for Java since version 7 it still makes problems with older libraries on Android. Also, some bots don't support SNI either, like the bot for the search engine bing.
Thus it might be in theory nicer to have multiple certificates but in practice this can cause problems.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
-
I was going to answer based on personal experience and experiments but no need as your answer covers everything. +1 for info – Jonathan Gray Dec 05 '15 at 21:51
1
One for each site so you have complete control over revocation of single certificates, renewal and the certificate types and subdomains.
Also you may require different SSL certificate types for different websites.
Daniel Ruf
- 1,682
- 14
- 18