0

I want to use a multi-domain SAN certificate for 5 of my public-facing domains. All of these domains point to the same ingress server (SSL is terminated at the load balancer), but the backend processing for each may be different.

Is SAN is a good choice or should I go with a single domain certificate for each of the domains considering the security?.

If I go with a single domain certificate, does the compromise of one domain affect all other domains since all are terminated to the same ingress server controller?

belkarx
  • 1,207
  • 2
  • 18
ab-ha-y
  • 3
  • 2

1 Answers1

1

Assuming you use strong TLS encryption on the load balancer, then it's really the same security posture whether you use one or five; any TLS vulnerability, if present, would expose all of your domains regardless of how many actual certs are deployed - assuming that you use same cipher suite on both types.

For me the biggest difference is in terms of information disclosure and administration.

Regarding information disclosure, in a multiple domain cert, casual inspection of the cert will disclose all your domains. If you don't want users of one domain to see the other four sites you host, then consider one cert for each.

And regarding administration, it clearly easier to maintain one multiple domain cert than five. During renewal you only have one cert to worry about. And should their be an actual vulnerability in the cert discovered later, it's easier to remediate one cert.

Rodrigo Murillo
  • 1,927
  • 11
  • 17