1

I have a website that lets users create a subdomain app like this: https://subdomain.mydomain.com

I want them to be able to have the app appear as if it's on their site, like this: https://myapp.theirdomain.com or maybe https://theirdomain.com/myapp/

I'm using Heroku and was wondering if this is realistic and how the ssl certificate would be done such that it worked on both domains? If not, can I get it at least working on their domain?

ckarbass
  • 113
  • 4

1 Answers1

4

If they run https://example.com/myapp/ then it's their responsibility to get a trusted certificate, as certificates are validated at domain level. They would then have to run a reverse proxy to your site. Then it doesn't matter what your certificate is, because the end user will never see it.

Otherwise, you can use Subject Alternate Names to assign a single certificate for multiple domains.

The good news is that because both of the domains are pointing to the same site, you don't need to worry about SNI extensions, which can break backwards compatibility for older browsers.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • Just to clarify, Subject Alternate Names would be necessary in the case where my customer is https://myapp.example.com, and the Subject Alertnate Names to assign a single cert for multiple domains would be set on their server or mine? I'm assuming theirs. – ckarbass Jun 29 '12 at 03:08
  • 1
    If you are hosting the service on your server, then *you* need to take care of the SSL with SANs. Because even though it's a subdomain of theirs, it points directly to your IP address, so it never touches their network. However, if it's a sub-folder of their primary domain, that's a different story (and a whole different set of technologies) – Mark Henderson Jun 29 '12 at 03:11
  • I guess a wildcard ssl certificate would do the same job (the number of apps on my site will be significant and dynamic, and it doesnt look like a SAN cert can be dynamically updated to reflect new subdomains on the fly... – ckarbass Jun 29 '12 at 04:43
  • 1
    @ckarbass - a wildcard won't work, because it only covers from your domain downards. So it will work for `*.example.com`, but *not* `*.example.com` AND `app.examplecorp.com`. So you will need to purchase a new cert each time you add an extra domain to your site unfortunately. I'm sure that there will be SSL providers with an API so you can automate the procedure. – Mark Henderson Jun 29 '12 at 05:17
  • and I'm pretty sure you can only have 1 cert per application on Heroku so you couldn't support multiple client domains over SSL. – John Beynon Jul 11 '12 at 07:54