I already have a Single Domain SSL on my main domain (example.com), but I would like to add a new SSL cert to my subdomain (api.example.com). Can I purchase another single Domain SSL, or do I need to buy a wildcard domain SSL and re-do the SSL cert on example.com?
Asked
Active
Viewed 3,521 times
0
-
If you're serving both domains from the same webserver or with VirtualHosts: Get a new cert that's either wildcard or with the subdomain as an alternate domain name. If you're serving them on separate servers, and **not** with VirtualHosts: Get a separate cert. – Jenny D May 20 '13 at 14:32
-
What about separate servers with Virtual Hosts? – gregavola May 20 '13 at 14:52
-
Sorry for being unclear. Separate servers/IP addresses = separate certs. Same server/IP address (whether as VirtualHost or as mod_rewrite or what have you) = combined cert. – Jenny D May 20 '13 at 19:47
-
So in this case - if api.example and example were on a different box - another certificate would work the best. – gregavola May 20 '13 at 19:50
-
Exactly! (And here's the reason why SSL doesn't work so well with separate certs if they're on the same server using NameVirtualHosts: http://serverfault.com/questions/507599/two-domains-when-ssl-on-same-directory/507613#507613). – Jenny D May 20 '13 at 19:52
-
Awesome - If this was answer - I'll give it a check mark. Thanks Jenny! – gregavola May 20 '13 at 20:08
-
I've made it into an answer now. – Jenny D May 21 '13 at 06:57
3 Answers
2
Wildcard vs. MultiDomain vs. Standard SSL Certificates
Just a quick run down of SSL types and when I recommend using them.
Wildcard
Domain: *.domain.com (domain.com)
Can be used for any *.domain.com and depending on the vendor domain.com. In Apache, this can be used in any server or Vhost configuration block. To prevent errors, the domain being served must match the *.domain.com pattern.
I recommend this SSL certificate if you have many (>5) domains using *.domain.com. For example, we have mail.domain.com, wiki.domain.com, my.domain.com and others. We can secure all of these with 1 SSL certificate.
MultiDomain
Domain: domain.com, anotherdomain.com, someotherdomain.com
Some vendors provide multidomain SSL certificates. These can be used for multiple, unique domain names, e.g. www.domain.com, www.anotherdomain.com.
These are required if you are serving multiple-domains from the same Vhost and do not want SSL errors. For example, with Wordpress Multi-site, you would need to use one of these certificates.
These are also good if you need SSL support to do redirects. For example if you want to redirect: https://www.anotherdomain.com/ -> https://www.domain.com/ within the same Vhost configuration.
Lastly, these can simplify management if having dozens of domains. It is easier to keep track of a single cert than 50.
Standard SSL Certificates
Domain: www.domain.com (domain.com)
Good for a single domain. Some vendors may include www.domain.com and domain.com.
Recommended when a single domain requiring SSL is served from a Vhost or server.
jeffatrackaid
- 4,112
- 18
- 22
-
THis is a good general list - however if I have two servers: example.com and api.example.com (with two different IPs) - can I get two domain SSL and use them (one for example.com and one for api.example.com)? – gregavola May 20 '13 at 19:09
-
If you have 2 servers, you can either buy a single wildcard certificate and use it on both or 2 different single certificates. Note that There is nothing technical that prevents you from using the same certificate on multiple servers. We use the same wild card cert over 12 different servers for one client. However, licensing may limit the number of servers you can install on. Most SSL vendors allow unlimited server installs but it is always good to check. – jeffatrackaid May 21 '13 at 15:35
1
You should have a separate certificate if either of these points is true:
- The sites are run on different servers - extra important because if one of the servers is compromised, so that the certificate can be stolen and used by someone else, the other site will still not be compromised. If they were to have the same certificate, getting one cracked would mean that the cracker could also impersonate the other site.
- The sites are on different IPs on the same server (although here you could choose to have the same certificate, having different ones means that it will be easier if you ever decide to move them around)
- The sites are accessed via different protocols (i.e. one is a web server, the other is e.g. a mail server)
You should have a common certificate (i.e. one with a Subject Alternative Name or with a wildcard name) if either of these points is true:
- The sites are on the same server and IP and look exactly the same (e.g. if you want www.domain.com and domain.com to have exactly the same content and be accessed in the same way). In this case you don't need to have separate VirtualHosts for them; just make one of them a ServerAlias for the other.
- The sites are on the same server and IP, and you are using NameVirtualHost to serve different content for each site. The reason why you still want to have only one common certificate can be found in this answer to an SSL question.
0
Yes, you can buy a separate single-domain SSL certificate for the subdomain.
You will, however, need a second IP for the second SSL.
ceejayoz
- 32,469
- 7
- 81
- 105
-
Ah, the subdomain, is sharing the IP address of the parent (example.com). In this case - I assume I will need to re-buy and re-implement? – gregavola May 20 '13 at 14:43
-
If both the browser and the webserver support SNI, you can use the same IP address for both sites. However, this means that browsers not supporting SNI won't work; most notably this includes any version of IE on XP. – Flup May 20 '13 at 14:47
-
So it sounds like the best way to get full support is to get the wildcard SSL? – gregavola May 20 '13 at 14:52
-
You may be able to ask your host for an additional IP for the second SSL, but otherwise wildcard is going to be necessary. – ceejayoz May 20 '13 at 14:54