UCC or WildCard SSL?

Question

We want to secure the following domains on a single server (1IP) with multiple virtual hosts:

secure.ourapp.com (VHOST1)
www.ourapp.com/login (VHOST2)
www.ourapp.com/signup (VHOST2)

After reading a lot on serverfault and online I found that we have 2 choices to roll with.

At GoDaddy I found the following two choices:

Single Domain with Unlimited Subdomains (Wildcard): €153.87
Multiple Domains (UCC): €69.23

Can anyone advice us on what certificate will be the most appropriate? We are looking for a solution that's easy to maintain/implement and that secures the above URL setup on a single server.

Browser compatibility is important to us. IE6 should also be secured with SSL.

You're going to need multiple IP addresses, regardless of which method you choose. — Mark Henderson, Jul 29 '10 at 09:39
Not if he uses SNI. http://en.wikipedia.org/wiki/Server_Name_Indication — Warner, Jul 29 '10 at 13:26
Haven't you asked about this before? http://serverfault.com/questions/164363/is-a-wildcard-ssl-the-only-option-in-this-multiple-vhost-1ip-setup/164366#164366 — tore-, Aug 02 '10 at 13:39
If you've got a wildcard certificate you don't need multiple ip addresses (as long as all of your virtual hosts share a single parent domain). The SSL negotiation succeeds because '*.example.com' matches 'foo.example.com' and 'bar.example.com', and then you can do name-based virtual hosting just like you would for port 80 hosts. SNI -- when it's widely supported -- would let you do name based hosting even without a common parent domain. — larsks, Nov 19 '10 at 20:36

Warner · Accepted Answer · 2010-08-02T13:10:05.673

2

With one IP, you are going to have limited support regardless. SNI, which allows VirtualHost with SSL, is only supported in modern browsers.

SNI Compatibility

Firefox 2 and up.
Opera 8 and up.
IE 7 and up. (Vista and up)

If you want consistent IE compatibility for your SSL connection without errors, you will need to have multiple IPs.

If you are positive that you are going to stick with the list of hostnames you identified for at least a year, I would go with UCC because it is cheaper. If you anticipate a need to throw up a bunch more SSL vhosts later on hostnames under the same domain, the ROI is with the wildcard cert as you would not have to buy a new certificate.

Both UCC and wildcard will be implemented the same way and maintenance will not be variable.

edited Aug 02 '10 at 13:10

answered Jul 29 '10 at 13:30

Warner

23,440
2
57
69

No version of IE supports SNI on XP or below. – President James K. Polk Aug 01 '10 at 13:17
Read Engel Der's answer below, as it is the most accurate. SNI is not needed when dealing with wildcard or UCC certs. – xentek Sep 26 '13 at 19:45

score 1 · Answer 2 · answered Jul 29 '10 at 09:54

1

If you've only got a single IP address and are using VHOSTs, then I'd go for the wildcard certificate as Apache only allows one cert per static IP. There's a walkthrough on how to set Apache up this way here

answered Jul 29 '10 at 09:54

RainyRat

3,700
1
23
29

Thanks, but I've read that UCC also allows multiple Vhosts to be secured on one IP? – solsol Jul 29 '10 at 10:06
SNI allows SSL to use the "Host:" header. It has more limited support, as it is fairly new. http://en.wikipedia.org/wiki/Server_Name_Indication – Warner Jul 29 '10 at 13:26

score 1 · Answer 3 · answered Mar 11 '11 at 11:44

1

I recommend you Wildcard SSL Certificate to secure your domain plus sub domain.

answered Mar 11 '11 at 11:44

kaul

11
1

score 1 · Answer 4 · answered Feb 19 '13 at 15:10

I don't know why people talk about SNI and multiple IP's here. A wildcard certificate is ONE certifikate and an UCC/SAN certificate is also ONE single certificate. So no SNI or IP based VHOST setup is needed here. Go for the wildcard certificate if you think there will be more SSL subdomains in the future.

The cheapest way would be a rewrite rule like:

<Location /login>
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/login [R]
</Location>

<Location /signup>
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/signup [R]
</Location>

and recode the application to allow these URLs running on the SSL Directive. So you would only need one simple SSL certificate.

score 0 · Answer 5 · answered Jul 30 '10 at 13:13

You do not need multiple IP addresses and you do not need to use SNI (which isn't fully supported yet). The best (and cheapest) option for your site is to use a wildcard or a UCC certificate. The UCC certificate will be your cheapest option if you only need to secure 2 hostnames (secure.ourapp.com and www.ourapp.com). Once you've installed certificate, you will need to enable it for both VirtualHosts using the info at the bottom of this page: http://www.sslshopper.com/article-how-to-configure-ssl-host-headers-in-iis-6.html

You don't need to worry about browser compatibility. As long as you buy from a trusted provider like GoDaddy, all the certificates will be compatible.

UCC or WildCard SSL?

5 Answers5