When do SSL certs require a dedicated IP, and when don't they?

Question

My host has informed me that I need to purchase a dedicated IP from them in order to use a SSL cert I want to buy. I don't believe them. Is there a way to leave them out of the loop and get this done without purchasing the IP?

I've been using a self-signed certificate for SSL but I am now purchasing one so that users don't get scared by the red strikethrough in the https://. Since I'm not generating my own cert, and I don't have root access with my host, I had to ask them for the CSR, and they refuse to do that until I buy the dedicated IP.

I'm using cPanel/WHM and don't have root access, but all the SSL/TLS stuff seems to work except the CSR generator.

I think you might be merging "dedicated IP" meaning a single IP address per SSL website, and "dedicated IP" as an optional extra product your host sells? If you have one IP already that you can put a working self-signed SSL certificate on, then you can put a purchased SSL certificate on there instead. And yes, you can generate a CSR with OpenSSL on any linux computer, and then move the certificate to your host later (assuming the control panel lets you do that bit!). — TessellatingHeckler, Apr 30 '13 at 02:51
@TessellatingHeckler When I asked my host for the CSR, they told me I had to purchase a dedicated IP. I didn't realize there was more than one kind of dedicated IP. Which kind was my host trying to get me to buy? (Found a quote from their documentation: "installation of SSL certificate itself is free of charge, but it requires dedicated IP to be assigned to your domain. This means that you would need to get dedicated IP from us if you want to secure your domain with the certificate.") — brentonstrine, Apr 30 '13 at 02:57
@MichaelHampton any advice on how I can change this question so that it isn't a dupe? I mainly want to know whether I absolutely need to purchase a dedicated IP from my host or not, and the linked question isn't helping me find an answer. — brentonstrine, Apr 30 '13 at 03:01
Not really, without it also being off-topic; [SF] is meant for professional system administrators (such as your web hosting company) rather than their end users. But see [my other comment](http://serverfault.com/questions/503742/when-do-ssl-certs-require-a-dedicated-ip-and-when-dont-they?noredirect=1#comment565625_503743) for the answer you are looking for. — Michael Hampton, Apr 30 '13 at 03:11

score 1 · Answer 1 · answered Apr 30 '13 at 02:35

1

Yes, a dedicated IP address is necessary (except for SNI, which isn't supported in Android 2.x or IE 6/7/8, making it essentially unusable right now).

This is because the host name header is sent as part of the encrypted package. As a result, the server only has the IP address being connected to to figure out which virtual host to attempt to process with.

answered Apr 30 '13 at 02:35

ceejayoz

32,469
7
81
105

So has what I've been doing with the self-signed cert been ineffective? – brentonstrine Apr 30 '13 at 02:36
@brentonstrine No, it worked fine. See the duplicate target post for the full explanation :) – Michael Hampton Apr 30 '13 at 02:37
yeah, I was reading through that, I'm a bit confused. I didn't think I was using TLS or SSLv3... or am I misunderstanding that that's the only way. – brentonstrine Apr 30 '13 at 02:41
1

@brentonstrine If your host requires unique IP addresses, it has nothing to do with your certificates, but is a limitation of their (crappy) web hosting platform. – Michael Hampton Apr 30 '13 at 02:57
1

@brentonstrine: Look closely and you'll probably find that your self-signed cert was never actually served to anyone. – David Schwartz Apr 30 '13 at 07:17

When do SSL certs require a dedicated IP, and when don't they?

1 Answers1