3

Whoa, acronyms :) So according to this question you can have multiple SSL subdomains on one IP address as long as your server supports TLS (which Apache 2.2x does).

Another answer to that question points out that the client browser must have SNI support to work, which IE doesn't have on Windows XP. So, what happens to people with that browser is a warning message saying that the SSL cert doesn't match the domain.

Can one resolve this issue for those client browsers without SNI support? Does a wildcard (for subdomains) do the trick? Are there other (cheaper) options?

Community
  • 1
Kyle Cureau
  • 1,537
  • 3
  • 11
  • 15

1 Answers1

5

Clients with no SNI support will get the first certificate loaded by Apache on that port.

So, yes, a wildcard certificate will not rely on client Server Name Indication support. If your resources all have a common parent domain, this is probably the way to go. The other option (with no common parent domain) is to use a certificate that provides Subject Alternate Names.

Both are expensive; an Alternate Names cert is a bit cheaper (but limits the number of sites you can cover, and needs to be re-issued when those sites change).

Shane Madden
  • 112,982
  • 12
  • 174
  • 248