12

Recently I contacted my shared hosting provider about setting up private SSL for a few of my sites. I have several sites hosted under the same plan (the plan allows for unlimited domains). However, I was told that since it is shared hosting and ultimately each site runs from the same IP address, I could install only a single certificate and secure only 1 of my sites (since each certificate requires a dedicated IP).

The other option they gave me was to use a shared certificate; this is unacceptable since the browser would generate a certificate warning. My question is: is this typical of shared hosting providers or could I find one that allows me multiple private certificates? I am currently developing several sites and would like to keep costs at a minimum which is why I am not yet upgrading to VPS or dedicated hosting. Thanks.

em444
  • 133
  • 1
  • 4

9 Answers9

6

The information provided to you by your shared hosting provider was indeed accurate.

SSL based traffic has to be bound to a single IP address so that the initial SSL handshake and encrypted connection can be established. This is all done before the web server is even presented with the requested URI. Because of this you can only have one certificate bound to each IP address. While you can have unlimited domains bound to a single IP address that precludes an SSL certificate installation.

Many shared providers will allow you to pay for an additional IP address on certain shared hosting plans to allow for SSL certificates to be utilized. You may find that your provider does in fact offer this, but it may be available only on another plan as this would be considered a more advanced service so might not be available with a more simple hosting plan.

Jeremy Bouse
  • 11,241
  • 2
  • 27
  • 40
5

Edit: This question is from 2009, when the answer (below) was correct. If people run into this information now, it's more or less irrelevant:

The question is about SSL, and the limitation that you stated about SSL was and still is correct. However, everybody is using TLS now and Server Name Indication (SNI) is widely available, solving exactly this problem. Of course you can still continue to use wildcard certificates, but individual certificates for each TLS-host are possible as well.

This won't help the in the situation of the original 2009 question, but does update the answer to be more relevant at the time of the edit, 2015


Original answer from 2009:

The information about 1 https endpoint per IP is correct. The protocol is such that the encryption starts before client and server negotiate the URL, that would be required for VirtualHosts to enable SSL. The key/certificate would depend on the url - aka the host name - for setting up multiple certificates on one IP, but it's being used before the server knows which URL is about to be contacted.

I understand that the protocol is being worked on, but currently there's no solution to this issue - at least not generally available.

Update: If you get only 1 IP for yourself, you could make use of wildcard certificates. Basically they certify identity not for www.example.com but for *.example.com, so that you can have multiple hosts sharing the same IP without any warning generated in the browser.

Olaf
  • 908
  • 5
  • 7
  • could you please elaborate on your update: wouldn't that still generate an cert warning for any site other than *.example? – em444 Jul 23 '09 at 04:14
  • Yes it would. Wildcards are only really useful for hosts within the same domain, but I'd guess that you're hosting lots of different domains. – David Pashley Jul 23 '09 at 04:39
  • Yep, and I can't seem to find a work around short of getting multiple hosting plans or getting a dedicated plan... – em444 Jul 23 '09 at 04:45
  • Thanks David for answering the first question - I've been gone shortly after answering. Just for hosting multiple https sites you wouldn't need more than one server though. It's perfectly ok to have one server with multiple IP addresses and bind each of the addresses to its own ssl virtual host. The limit is the ip address (and possibly the hardware limitations imposed by your server(s)) You just have to find a hoster that provides multiple IPs per server. Mentioning multidomain https hosting is usually the reason they accept if they are in _that_ business at all. – Olaf Jul 23 '09 at 19:48
1

There are only two ways to have multiple domains secured that use the same IP. Either use different service ports for each cert (this option sucks) or find a CA that allows SubjectAltName within certificates.

With SubjectAltName you can define as many DNS entries per certificate as you like. Meaning one certificate will authenticate several domains. This is beyond wildcards as the domains don't have to have anything in common. As an example of this you can check out CAcert which allows this.

OliverS
  • 222
  • 1
  • 6
1

That's no longer the case if using Apache 2.2.12 implementing SNI, a single address is no longer required per certificate. Hopefully we'll see more of this available to shared hosting now.

https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

munkiepus
  • 51
  • 4
0

If you can find a shared host that will give you multiple IPs you could get multiple certs, but you can't really (as I understand it) have multiple certs on the same IP address unless it's shared.

If you want something more cost-effective (and you're not afraid of doing a bit of your own config work), you could look at the rackspace cloud (formerly Mosso, similar to EC2, just a bit cheaper... you could theoretically run a dev server for around $15 a month): http://www.rackspacecloud.com

[UPDATE] Don't have enough rep yet to comment, but as stated below you could technically get a wildcard cert, which is valid for all subdomains of a domain (*.example.com, which includes www.example.com). However, this doesn't work with multiple domains, you'll still need multiple IP addresses for the reasons explained by Olaf.

Ian Selby
  • 332
  • 1
  • 4
  • Yea I looked into wildcard cert and turns out that would be more expensive then simply signing up for extra hosting plans.... – em444 Jul 23 '09 at 04:39
0

This is not all that useful an answer right now, but in the future, you should be able to use Server Name Indication, which uses an extension in the TLS protocol to send the server name as part of the TLS handshaking. It's specified in RFC3546. Unfortunately it's not very well supported. OpenSSL doesn't enable it by default until 0.9.8j which was released 5 months ago. IE on Windows XP doesn't support it, but does on Vista. And IIS just doesn't support it at all. Until all your users on XP disappear and your hosting provider upgrade their servers, there isn't a great deal you can do about it.

David Pashley
  • 23,151
  • 2
  • 41
  • 71
  • Thats good to know..unfortunately probably not an option for quite some time...do you happen to know if VPS hosting would allow me to accomplish my goal (I know little about it)..if not, what type of hosting plan would I need to allow this...thanks – em444 Jul 23 '09 at 04:52
  • You'd need a hosting provider that will give you as many IP addresses as you require. You may find a VPS provider that will do this, but I suspect you're more likely to find a dedicated server with that option, which is going to be two to three times more expensive. – David Pashley Jul 23 '09 at 05:11
0

It is true that you cannot have multiple ssl certs for a single IP.

However it is technically possible to get a certificate that is valid for domain1.example.org domain2.example.com etc...

Here is an example.

cstamas
  • 6,607
  • 24
  • 42
0

Does your host not allow you to have Dedicated IPs. You should be able to find a host that allows you to purchase a plan with shared hosting, but dedicated IPs. We are doing this with Server Intellect www.serverintellect.com for example right now. Basically, they just charge us a separate small fee for each dedicated IP we require.

Charles
  • 879
  • 5
  • 9
0

I have successfully deployed multiple SSL certificates on a single, but dedicated, host using IP aliasing. How this could or should be used on a shared hosting plan, I can't answer. I found this article on IBM Developerworks to be very informative.